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THE  INTUITIONISM  BEHIND  STATECHARTS  STEPS 


GERALD  LUTTGEN-^  AND  MICHAEL  MENDLER^ 

Abstract.  The  semantics  of  Statecharts  macro  steps,  as  introduced  by  Pnueli  and  Shalev,  lacks  compo- 
sitionality.  This  report  first  analyzes  the  compositionality  problem  and  traces  it  back  to  the  invalidity  of  the 
Law  of  the  Excluded  Middle.  It  then  characterizes  the  semantics  via  a  particular  class  of  linear,  intuitionis- 
tic  Kripke  models,  namely  stabilization  sequences.  This  yields,  for  the  first  time  in  the  literature,  a  simple 
fully-abstract  semantics  which  interprets  Pnueli  and  Shalev’s  concept  of  failure  naturally.  The  results  not 
only  give  insight  into  the  semantic  subtleties  of  Statecharts,  but  also  provide  a  basis  for  an  implementation, 
for  developing  algebraic  theories  for  macro  steps,  and  for  comparing  different  Statecharts  variants. 

Key  words.  Statecharts,  compositionality,  full  abstraction,  intuitionistic  Kripke  semantics 

Subject  classification.  Computer  Science 

1.  Introduction.  Statecharts  is  a  well-known  visual  design  notation  for  specifying  the  behavior  of 
reactive  systems  [7].  It  extends  finite  state  machines  with  concepts  of  (i)  hierarchy,  so  that  one  may  speak 
of  a  state  as  having  sub-states,  (ii)  concurrency,  thereby  allowing  the  definition  of  systems  having  simulta- 
neously  active  sub-systems,  and  (iii)  priority,  such  that  one  may  express  that  certain  system  activities  have 
precedence  over  others.  The  success  of  Statecharts  in  the  software-engineering  community  is  founded  on  the 
language’s  capability  for  intuitively  modeling  the  complex  control  aspects  inherent  in  many  software  systems. 
However,  the  search  for  a  practically  and  theoretically  satisfying  semantics  for  Statecharts  is  still  actively 
pursued  at  many  academic  and  industrial  research  laboratories  and  has  led  to  the  definition  of  numerous 
Statecharts  variants  [20]. 

In  a  seminal  paper,  Pnueli  and  Shalev  presented  two  equivalent  formalizations  of  Statecharts  seman¬ 
tics  [17].  According  to  their  semantic  model,  a  Statechart  may  respond  to  an  event  entering  the  system  by 
engaging  in  an  enabled  transition.  This  may  generate  new  events  which,  by  causality,  may  in  turn  trigger 
additional  transitions  while  disabling  others.  The  synchrony  hypothesis  ensures  that  one  execution  step, 
a  so-called  macro  step,  is  complete  as  soon  as  this  chain  reaction  comes  to  a  halt.  Unfortunately,  Pnueli 
and  Shalev’s  semantics  violates  the  desired  property  of  compositionality  which  is  a  prerequisite  for  modular 
.  analyses  of  Statecharts  specifications  as  well  as  for  compositional  code  generation.  Huizing  and  Gerth  [10] 
showed  that  combining  compositionality,  causality,  and  the  synchrony  hypothesis  cannot  be  done  within  a 
simple,  single-leveled  semantics.  Some  researchers  then  devoted  their  attention  to  investigating  new  variants 
of  Statecharts,  obeying  just  two  of  the  three  properties.  In  esterel  [3]  and  ARGOS  [16],  causality  is  treated 
separately  from  compositionality  and  synchrony,  while  in  (synchronous)  STATEMATE  [8]  the  synchrony  hy- 
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pothesis  is  rejected.  Other  researchers  achieved  combining  all  three  properties  by  storing  complex  semantic 
information  via  preorders  [13,  15,  18]  or  transition  systems  [6,  14].  However,  no  analysis  of  exactly  how  much 
information  is  needed  to  achieve  compositionality  has  been  made  so  far. 

This  report  first  illustrates  the  compositionality  defect  of  Pnueli  and  Shalev’s  semantics  by  showing  that 
equality  of  response  behavior  is  not  preserved  by  the  concurrency  and  hierarchy  operators  of  Statecharts.  The 
reason  is  that  macro  steps  abstract  from  causal  interactions  with  a  system’s  environment,  thereby  imposing 
a  closed-world  assumption.  Indeed,  the  studied  problem  can  be  further  traced  back  to  the  invalidity  of  the 
Law  of  the  Excluded  Middle.  To  overcome  the  problem,  we  interpret  Statecharts,  relative  to  a  given  system 
state,  as  intuitionistic  formulas.  These  are  given  meaning  as  specific  intuitionistic  Kripke  structures  [19], 
namely  linear  increasing  sequences  of  event  sets,  called  stabilization  sequences,  which  encode  interactions 
between  Statecharts  and  environments.  In  this  domain,  which  we  characterize  via  semi-lattices  and  in  which 
Pnueli  and  Shalev’s  semantics  may  be  explained  by  considering  a  distinguished  sub-domain,  we  develop  a 
fully-abstract  macro-step  semantics  in  two  steps.  First,  we  study  Statecharts  without  hierarchy  operators 
which  are  in  fact  choice  operators  in  our  setting  since  we  observe  single  macro  steps  only.  We  show  that 
in  this  fragment,  stabilization  sequences  naturally  characterize  the  largest  congruence  contained  in  equality 
of  response  behavior.  In  the  second  step,  based  on  a  non-standard  distributivity  and  expansion  law,  as 
well  as  our  lattice-theoretic  characterization  of  the  intuitionistic  semantics,  we  lift  our  results  to  arbitrary 
Statecharts.  It  is  worth  remarking  that  these  results  are  achieved  in  a  slightly  extended  Statecharts  algebra 
that  allows  for  general  choice  operators  and  also  introduces  explicit  failure  events.  We  show  that  this 
extension  is  conservative  over  the  standard  “visual”  syntax  of  Statecharts.  As  a  byproduct,  this  report 
suggests  a  natural  way  of  admitting  disjunctions  in  transition  triggers,  thereby  solving  a  logical  inadequacy 
of  Pnueli  and  Shalev’s  setting.  Moreover,  our  results  build  a  foundation  for  an  efficient  implementation 
of  Pnueli  and  Shalev’s  semantics  that  avoids  backtracking,  for  algebraic  characterizations  of  macro-step 
semantics,  and  also  for  comparisons  among  related  Statecharts  variants. 

The  remainder  of  this  report  is  organized  as  follows.  The  next  section  presents  our  notation  for  State- 
charts,  recalls  the  classic  Statecharts  semantics  of  Pnueli  and  Shalev,  and  analyzes  the  compositionality 
problem.  Sec.  3  presents  a  new  intuitionistic  semantics  for  Statecharts  macro  steps,  characterizes  Pnueli 
and  Shalev’s  semantics  within  the  novel  framework,  and  provides  a  full- abstraction  result  for  the  Statecharts 
language  without  hierarchy  operator.  The  latter  result  is  extended  to  the  full  language  in  Sec.  4.  Finally, 
Secs.  5  and  6  discuss  related  work  and  present  our  conclusions  and  directions  for  future  work,  respectively. 
The  appendices  contain  some  longer  proofs  as  well  as  some  complimentary  technical  material. 

2.  Statecharts:  Syntax,  Semantics,  and  Compositionality.  Statecharts  is  a  visual  language  for 
specifying  reactive  systems,  i.e.,  concurrent  systems  interacting  with  their  environment.  They  subsume 
labeled  transition  systems  where  labels  are  pairs  of  event  sets.  The  first  component  of  a  pair  is  referred  to 
as  trigger,  which  may  include  negative  events,  and  the  second  as  action.  Intuitively,  a  transition  is  enabled  if 
the  environment  offers  all  events  in  the  trigger  but  not  the  negative  ones.  When  a  transition  fires,  it  produces 
the  events  specified  in  its  action.  Concurrency  is  introduced  by  allowing  Statecharts  to  run  in  parallel  and 
to  communicate  by  broadcasting  events.  Additionally,  basic  states  may  be  hierarchically  refined  by  injecting 
other  Statecharts.  This  creates  composite  states  of  two  possible  sorts,  which  are  referred  to  as  and-states 
and  or-states,  respectively.  Whereas  and-states  permit  parallel  decompositions  of  states,  or-states  allow 
for  sequential  decompositions.  Consequently,  an  and-state  is  active  if  all  of  its  sub-states  are  active,  and  an 
or-state  is  active  if  exactly  one  of  its  sub-states  is. 
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Fig.  2.1.  Two  example  Statecharts 

As  an  example,  the  Statechart  in  Fig.  2.1  on  the  left  consists  of  and-state  5i6  which  puts  and-state  si4 
and  or-state  sse  in  parallel.  Similarly,  state  514  is  a  parallel  composition  of  or-states  S12  and  S34.  Each  of 
these  or-states  describes  a  sequential  state  machine  and  is  refined  by  two  basic  states.  In  case  of  S12,  basic 
state  Si  is  the  initial  state  which  is  connected  to  basic  state  S2  via  transition  ti .  Here,  Si  is  the  source  state 
of  ti,  state  S2  is  its  target  state,  symbolizes  its  empty  trigger,  and  a  is  its  action.  Hence,  h  is  always 
enabled  regardless  of  the  events  offered  by  the  environment.  Its  firing  produces  event  a  and  switches  the 
active  state  of  S12  from  si  to  S2-  This  initiates  a  causal  chain  reaction,  since  the  generation  of  a  in  turn 
triggers  transition  in  parallel  component  S56  which  introduces  event  h.  As  a  consequence,  transition  ^2  in 
or-state  S34  becomes  enabled  and  fires  within  the  same  macro  step. 

The  Statechart  depicted  in  Fig.  2.1  on  the  right  is  like  the  one  on  the  left,  except  that  and-state  S14 
is  replaced  by  or-state  S79.  The  latter  state  encodes  a  choice  regarding  the  execution  of  transitions 
and  ^5  from  state  S7.  The  trigger  of  ^4  is  6,  i.e.,  is  triggered  by  the  absence  of  event  b.  Starting  with  an 
environment  offering  no  event,  thus  assuming  b  to  be  absent,  and-state  S59  can  autonomously  engage  in  ^4. 
The  generation  of  a  in  turn  triggers  transition  tz  which  fires  and  produces  b.  However,  ^4  was  fired  under  the 
assumption  that  b  is  absent.  Since  Statecharts  is  a  synchronous  language  and  no  event  can  be  simultaneously 
present  and  absent  within  the  same  macro  step,  this  behavior  is  rejected  as  globally  inconsistent  Thus,  the 
response  of  S59  to  the  empty  environment  is  failure,  which  is  operationally  different  from  an  empty  response. 

2.1.  Statecharts  Configurations  and  Step  Semantics,  Like  [17]  we  present  the  semantics  of  Stat¬ 
echarts  as  a  single-step  semantics  which  is  given  relative  to  a  fixed  but  arbitrary  set  of  active  states.  As 
a  consequence,  Statecharts’  hierarchy  operator  acts  exactly  like  a  choice  operator.  Formally,  let  H  and  T 
be  countably  infinite  sets  of  events  and  transition  names,  respectively.  For  every  event  e  €  H,  its  negative 
counterpart  is  denoted  by  e.  We  define  e  =df  e  and  write  E  for  {e  |  e  G  E}.  With  every  t  £  we  associate 
a  transition  E/A  consisting  of  a  trigger  trg{t)  =df  E  Cfin  HUH  and  an  action  act(f)  — df  A  H,  where  E 

and  A  are  required  to  be  finite  sets.  For  simplicity,  we  use  the  abbreviation  ei  •  •  •  Cn/f^i  *  ** for  transition 
{ei, . . .  ,en}/{ai, . .  ■  ,am},  and  we  denote  an  empty  trigger  or  action  in  a  transition  by  symbol  We  also 
write  P,  N /A  for  label  E/ A  when  we  wish  to  distinguish  the  set  P  =df  P  O  H  of  positive  trigger  events  from 
the  set  N  =df  P  n  H  of  negative  trigger  events.  Now,  we  are  able  to  describe  a  Statechart  relative  to  a  set 
of  active  states  as  a  term  in  the  BNF 

C  ::=  0  \  X  \  t  \  C\\C  \  C  A  C , 

where  t  e  T  and  x  is  a  variable.  Terms  not  containing  variables  are  called  configurations.  Intuitively, 
configuration  0  represents  a  Statechart  state  with  no  outgoing  transitions  (basic  state),  C  \\  D  denotes 
the  parallel  composition  of  configurations  C  and  D  (and-state),  and  C  A  D  stands  for  the  choice  between 
executing  C  or  P  (or-state).  As  mentioned  earlier,  the  latter  construct  A  coincides  with  Statecharts’ 
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hierarchy  operator,  which  reduces  to  choice  when  considering  single  macro  steps  only;  thus,  we  refer  to 
operator  +  also  as  choice  operator.  Moreover,  in  the  visual  Statecharts  notation,  C  -h  D  is  somewhat  more 
restrictive,  in  that  it  requires  D  to  be  a  choice  of  transitions.  For  instance,  (ti  ||  ^2)  +  {^3  II  ^4)  is  prohibited 
in  Statecharts  visual  syntax  whereas  it  is  a  valid  configuration  in  our  setting.  Semantically,  however,  our 
generalization  is  inessential  with  respect  to  the  considered  semantics  of  Pnueli  and  Shale v,  as  we  will  show 
in  Sec.  4,4.  The  set  of  all  configurations  is  denoted  by  C  and  ranged  over  by  C  and  D.  The  set  of  “+”-free, 
or  parallel^  configurations  is  written  as  PC.  We  call  terms  #[a;]  with  a  single  variable  occurrence  x  contexts, 
and  write  $[C]  for  the  substitution  of  C  for  x  in  $[x].  Contexts  of  form  x  ||  C  and  x  +  C  are  referred  to 
as  parallel  contexts  and  choice  contexts,  respectively.  We  tacitly  assume  that  transition  names  are  unique  in 
every  term,  and  we  let  trans((7)  stand  for  the  set  of  transition  names  occurring  in  C. 

Any  Statechart  in  a  given  set  of  active  states  corresponds  to  a  configuration.  For  example,  Statecharts  514 
and  579,  in  their  initial  state,  correspond  to  configurations  =df  h  IU2  and  C79  =cif  ^4  +  ^5?  respectively. 
The  Statecharts  depicted  in  Fig.  2.1  are  then  formalized  as  Cie  =df  ^56[C'i4]  and  =df  ^56[C'79]5  re¬ 
spectively,  using  the  parallel  context  $56  [x]  =df  ^  II  ^3-  Moreover,  since  transitions  are  uniquely  named  in 
configurations  and  thus  may  be  associated  with  their  source  and  target  states,  one  can  easily  determine  the 
set  of  active  states  reached  after  firing  a  set  of  transitions;  see  [17]  for  details.  As  in  [17],  we  do  not  consider 
interlevel  transitions  and  state  references  [20]  to  keep  our  syntax  for  Statecharts  sufficiently  simple.  Although 
the  syntax  would  have  to  be  extended,  our  semantics  can  accommodate  these  features,  too.  Finally,  we  want 
to  remark  that  the  unique  naming  of  transitions  is  not  an  essential  assumption  but  just  a  convenient  means 
in  the  operational  semantics  to  define  the  step  response  of  a  Statechart  configuration.  We  will  see  that  the 
intuitionistic  model  theory  developed  in  this  report  allows  us  to  do  away  with  naming  transitions. 

To  present  the  response  behavior  of  a  configuration  C,  as  defined  by  Pnueli  and  Shalev,  we  have  to 
determine  which  transitions  in  trans(C)  may  fire  together  to  form  a  macro  step.  A  macro  step  comprises 
a  maximal  set  of  transitions  that  are  triggered  by  events  offered  by  the  environment  or  produced  by  the 
firing  of  other  transitions,  that  are  mutually  consistent  (“orthogonal”),  and  that  obey  causality  and  global 
consistency.  We  start  off  by  formally  introducing  some  of  these  notions. 

•  A  transition  t  is  consistent  with  T  C  trans(C),  in  signs  t  G  consistent((7,  T),  if  t  is  not  in  the  same 
parallel  component  as  any  G  T.  Formally, 

consistent(C,  T)  =df  {t  G  trans(C)  |  Vt'  G  T.  tAct'}  , 

where  tAct',  iit  =  t'  or  if  t  and  t'  are  on  different  sides  of  an  occurrence  of  ||  in  C. 

•  A  transition  t  is  triggered  by  a  finite  set  E  of  events,  in  signs  t  G  triggered  ((7,  E),  if  the  positive,  but 
not  the  negative  trigger  events  of  t  are  in  E.  Formally, 

triggered(C,  E)  ^df  {t  e  trans(C)  |  trg(t)  n  H  C  £;  and  (trg(Onff)  n  E  =  0}  . 

•  A  transition  t  is  enabled  in  C  with  respect  to  a  finite  set  E  of  events  and  a  set  T  of  transitions,  if 
t  G  enabled (C,  J7,r)  where 

enabled (C,  E,  T)  — df  consistent (C,  T)  fi  triggered  ((7,  ^  U  [J  act(i)) . 

teT 

Intuitively,  assuming  transitions  T  are  known  to  fire,  enabled((7,  J7,  T)  determines  the  set  of  all 
transitions  of  C  that  are  enabled  by  the  actions  of  T  and  the  environment  events  in  E.  In  the 
following,  we  use  act(T)  as  an  abbreviation  for 
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With  these  preliminaries,  we  may  now  present  Pnueli  and  Shalev’s  iterative  step-construction  procedure  [17] 
for  causally  determining  macro  steps  relative  to  a  configuration  C  and  a  finite  set  E  of  environment  events. 

procedure  step-construction{C ^  E); 

,  var  T  :=  0; 

while  T  C  enabled((7,  E,T)  do 
choose  t  G  enabled(C,  E,T)  \T; 

T  :=TU{t} 
od; 

if  T  =  enabled((7,E,T)  then  return  T 
else  report  failure 
end  step-construction. 

This  procedure  computes  nondeterministically,  relative  to  a  configuration  C  and  a  finite  environment  E, 
those  sets  T  of  transitions  that  can  fire  together  in  a  macro  step.  Note  that  due  to  failures  raised  when 
detecting  global  inconsistencies,  the  step  construction  might  involve  backtracking,  which  makes  the  above 
algorithm  inefficient  for  implementation.  To  highlight  the  role  of  failures  further  in  this  report,  it  will  be 
useful  to  introduce  a  special  failure  event  ±  G  11  in  order  to  represent  the  failure  behavior  of  the  step 
semantics  explicitly.  For  instance,  we  can  then  define  transition  a/ ±  which  raises  a  failure  exception  as  soon 
as  event  a  becomes  present.  Note  that,  e.g.,  the  firing  of  transition  a/a,  which  can  already  be  expressed  in 
the  standard  syntax,  raises  a  failure  in  the  absence  of  event  a.  Hence,  adding  an  explicit  ±  event  makes 
the  representation  of  failure  behavior  more  symmetric  in  that  it  allows  us  to  enforce  the  presence  as  well 
as  the  absence  of  certain  events  in  a  macro  step.  It  should  be  stressed  that,  as  we  will  show  in  Sec.  4.4, 
adding  event  ±  is  a  conservative  extension  that  does  not  change  the  semantics  of  the  original  Statecharts 
language.  It  permits,  however,  a  more  uniform  algebra  of  configurations.  In  particular,  having  J.  available  has 
the  important  technical  advantage  that  certain  semantic  constructions  on  the  original  Statecharts  language 
become  syntactically  representable.  Moreover,  there  are  also  new  behaviors  expressible  that  may  be  useful 
in  applications.  Therefore,  we  will  study  both  variants  of  Statecharts  semantics,  with  and  without  ±,  in  the 
remainder  of  this  report. 

Following  Pnueli  and  Shalev,  a  set  T  of  transitions  is  called  constructible,  for  a  given  configuration  C  and 
a  finite  set  E  of  environment  events,  if  and  only  if  it  can  be  obtained  as  a  result  of  successfully  executing  pro¬ 
cedure  step-construction.  Whenever  we  wish  to  indicate  the  environment,  we  say  that  T  is  E-constructible. 
For  each  E-constructible  set  T,  set  A  =df  E  U  act(r)  H  is  called  the  (step)  response  of  C  for  E,  in 
signs  C  A.  If  event  ±  is  considered,  we  also  require  ±  ^  A.  Moreover,  if  E  =  0,  we  simply  write  C  A. 
Note  that  E  may  also  be  modeled  by  a  parallel  context  consisting  of  a  single  transition  -/E,  as  C  A  if 
and  only  if  (C  ||  -/E)  J)-  A  holds.  Pnueli  and  Shalev  also  provided  an  equivalent  declarative  definition  of 
their  operational  step  semantics.  A  set  T  of  transitions  is  called  E— separable  for  C  if  there  exists  a  proper 
subset  V  dT  such  that  enabled(C,E,r')  D  (T  \  T)  =  0.  Further,  T  is  E-admissible  for  C  if  (i)  T  is  E- 
inseparable  for  C,  (ii)  T  =  enabled (C,  E,T),  and  (iii)  JL  ^  act(r).  When  configuration  C  and  environment  E 
are  understood,  we  also  say  that  T  is  admissible  or  separable,  respectively. 

Theorem  2,1  (Pnueli  &  Shalev  [17]).  For  all  configurations  C  G  C  and  event  sets  E  Cfin  H,  a  set  T  of 
transitions  is  E-admissible  for  C  if  and  only  ifT  is  E-constructible  for  C. 

While  this  theorem  emphasizes  the  mathematical  elegance  of  Pnueli  and  Shalev’s  semantics,  it  still  does  not 
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support  implementations.  However,  because  of  Thm.  2.1,  one  may  confuse  the  notions  of  constructibility 
and  admissibility.  In  fact,  the  approach  we  are  going  to  present  in  the  following  sections  is  derived  more 
conveniently  from  the  declarative  characterization. 

2.2.  The  Compositionality  Problem.  The  macro-step  semantics  induces  a  natural  equivalence  re¬ 
lation  ^  over  configurations,  called  step  equivalence,  satisfying  C  ^  D,  whenever  C  A  if  and  only  if 
D  for  all  E,A  Cfin  n.  For  simplicity,  does  not  account  for  target  states  of  transitions  since  these 

can  be  encoded  in  event  names.  The  compositionality  defect  of  the  macro-step  semantics  manifests  itself 
in  the  fact  that  ~  is  not  a  congruence  for  the  configuration  algebra.  Consider  our  example  of  Fig.  2.1  and 
assume  that  states  52,  S4,  sq,  sgj  and  Sg  are  all  equivalent.  It  is  easy  to  see  that  configurations  C14  and  C79 
have  the  same  response  behavior.  Both  Cu  ^e  A  and  C^g  A  are  equivalent  to  A  =  EU  {a},  no  matter 
whether  event  b  is  present  or  absent  in  environment  E.  However,  $56[Ci4]  =  Cu  /  C59  =  since 

CiG  ^  {0,6}  but  ^59  ^  A,  for  any  A  H,  as  C59  always  fails  for  the  empty  environment.  Hence,  the 
equivalence  C14  C79  is  not  preserved  by  context  $56  [^]-  The  intuitive  reason  for  why  C14  and  Crg  are 

identified  in  the  first  place  is  that  the  response  semantics  does  not  account  for  any  proper  interaction  with  the 
environment.  It  adopts  the  classic  closed-world  assumption  which  states  that  every  event  is  either  present 
from  the  very  beginning  of  a  given  macro  step  or  will  never  arise.  This  eliminates  the  possibility  that  events 
may  be  generated  due  to  interactions  with  the  environment,  such  as  event  b  in  Cie  {a^b}.  In  short,  a 
compositional  macro-step  semantics  does  not  validate  the  Law  of  the  Excluded  Middle  bV  —  true.  Since 
intuitionistic  logic  [19]  differs  from  classic  logic  by  refuting  the  Law  of  the  Excluded  Middle,  it  is  a  good 
candidate  framework  for  analyzing  the  step  semantics  of  Statecharts. 

It  must  be  stressed  that  the  compositionality  defect  is  an  issue  of  parallel  composition  ||  and  not  of 
operator  +.  Configuration  Cyg  =  b/a  +  b/a  has  exactly  the  same  behavior  as  configuration  C^q  =df  b/a  ||  b/a 
which  we  could  have  used  instead.  The  compositionality  problem  can  also  be  demonstrated  by  the  two  parallel 
configurations  Di  =df  */®  II  ^2  =df  b/a  |1  b/ac  which  have  the  same  step  responses  but  can  be 

distinguished  in  context  $56^,  as  ^56[L>i]  ^  {a,b,c}  but  <^56^2]  ^  A,  for  any  A  Cfin  H. 

Our  goal  is  to  characterize  the  largest  congruence  called  step  congruence,  contained  in  step  equivalence, 
where  C  ~  D,  if  ^[C]  --  $[D],  for  all  contexts  ^x].  While  the  compositionality  defect  is  well-known,  a  fully- 
abstract  semantics  with  respect  to  Pnueli  and  Shalev’s  macro-step  semantics  has  not  yet  been  presented 
in  the  literature.  Of  course,  one  can  trivially  obtain  that  C  D  is  equivalent  to  |(7|o  ==  {EJo,  where 
|C']o  =df  {(A,$[ru])  I  $[(7]  A}.  However,  [-Jo  is  a  syntactic  characterization  rather  than  a  semantic  one, 

which  we  will  develop  below.  Note  that  we  intend  to  achieve  compositionality  in  the  declarative  sense  of  a 
fully-abstract  semantics  and  not  in  the  constructive  sense  of  a  denotational  semantics  (cf.  Sec.  5) . 

3.  Intuitionistic  Semantics  via  Stabilization  Sequences.  We  start  off  by  investigating  parallel 
configurations  within  parallel  contexts,  for  which  many  semantic  insights  may  already  be  obtained.  First, 
we  propose  a  novel  intuitionistic  semantics  for  this  fragment,  then  show  its  relation  to  Pnueli  and  Shalev  s 
original  semantics,  and  finally  derive  a  full-abstraction  result.  The  next  section  generalizes  this  result  to 
arbitrary  configurations  within  arbitrary  contexts. 

Our  new  semantic  interpretation  of  parallel  configurations  C,  based  on  an  “open-world  assumption,”  is 
given  in  terms  of  finite  increasing  sequences  of  worlds  (or  states)  Eg  C  Ei  C  ‘  —  C  E^,  foi  some  natural 
number  n.  Each  Ei  Cfin  H  \  {±}  is  the  set  of  events  generated  or  present  in  the  respective  world,  and  the 
absence  of  J.  ensures  that  each  world  is  consistent.  A  sequence  represents  the  interactions  between  C  and 
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a  potential  environment  during  a  macro  step.  Intuitively,  the  initial  world  Eq  contains  all  events  e  which 
are  generated  by  those  transitions  of  C  that  can  fire  autonomously.  When  transitioning  from  world  Ei^i 
to  Eiy  some  events  in  Ei  \  Ei-i  are  provided  by  the  environment,  as  reaction  to  the  events  validated  by  C 
when  reaching  Ei-i,  The  new  events  destabilize  world  Ei-\  and  may  enable  a  chain  reaction  of  transitions 
within  C.  The  step-construction  procedure,  which  tracks  and  accumulates  all  these  events,  then  defines  the 
new  world  E^.  In  accordance  with  this  intuition,  we  call  the  above  sequences  stabilization  sequences.  The 
overall  response  of  C  after  n  interactions  with  the  environment  is  the  event  set  En . 

The  monotonicity  requirement  of  stabilization  sequences  reflects  the  fact  that  our  knowledge  of  the 
presence  and  absence  of  events  increases  in  the  process  of  constructing  a  macro  step.  More  precisely,  each 
world  contains  the  events  assumed  or  known  to  be  present.  Only  if  an  event  is  not  included  in  the  final 
world,  it  is  known  to  be  absent  for  sure.  The  fact  that  an  event  e  is  not  present  in  a  world,  e  ^  E{i),  does 
not  preclude  e  from  becoming  available  later  in  the  considered  stabilization  sequence.  This  semantic  gap 
between  “not  present”  and  “absent”  makes  the  underlying  logic  intuitionistic  as  opposed  to  classic.  Indeed, 
we  shall  see  that  parallel  configurations  are  most  naturally  viewed  as  intuitionistic  formulas  specifying  linear 
intuitionistic  Kripke  models. 

3.1.  Intuitionistic  Semantics  for  Parallel  Configurations.  Formally,  a  stabilization  sequence  M 
is  a  pair  (n,  F),  where  n  G  N  \  {0}  is  the  length  of  the  sequence  and  F  is  a  state  valuation^  i.e.,  a  monotonic 
mapping  from  the  interval  [0, . . .  ,n  —  1]  to  finite  subsets  of  11  \  {J-}.  Stabilization  sequences  of  length  n 
are  also  referred  to  as  n-sequences.  It  will  be  technically  convenient  to  assume  that  M  is  irredundant^  i.e., 
V{i  -  1)  CV{i)^  for  all  0  <  z  <  n.  This  assumption,  however,  is  not  important  for  the  results  in  this  report. 

Definition  3.1  (Sequence  Model).  Let  M  —  (n,F)  be  a  stabilization  sequence  and  C  G  PC.  Then, 
M  is  said  to  be  a  sequence  model  of  C,  if  M  \=  C,  where  the  satisfaction  relation  |=  is  defined  along  the 
structure  of  C  as  follows: 

1.  Always  M  \=  0, 

2.  M  ^  C  \\  D  if  M  \=  C  and  M  ^  D,  and 

3.  P,N/A  if  both  Nr\V{n-l)=(l}  and  PC  V(i)  imply  A  C  V{i),  for  all  i  <  n. 

This  definition  is  a  shaved  version  of  the  standard  semantics  obtained  when  reading  C  G  PC  as  an  intu¬ 
itionistic  formula  [19],  i.e.,  when  taking  events  to  be  atomic  propositions  and  replacing  a  by  negation  -la, 
concatenation  of  events  and  “||”  by  conjunction  “A”,  and  the  transition  slash  “/”  by  implication  “D”.  An 
empty  trigger,  an  empty  action,  and  configuration  0  are  identified  with  true.  Then,  M  \=^  C  \i  and  only 
if  C  holds  for  the  intuitionistic  Kripke  structure  M.  In  the  sequel,  we  abbreviate  the  set  {M  \  M  \=  C}  oi 
sequence  models  of  C  by  SM{C).  It  will  sometimes  be  useful  to  consider  the  sequence  models  2SM{C)  of  C 
of  length  at  most  two  only,  i.e.,  2SM {C)  =df  {(?^5  y)  I  (^)  ^  SM {C)  and  n  <  2}. 

In  our  introductory  example,  configuration  Cyg  is  behavior  ally  equivalent  to  =df  b/a  ||  b/a.  The 
latter  configuration  may  be  identified  with  formula  {-^b  D  a)  A  {bD  a)  which  states  “z/  b  is  absent  throughout 
a  macro  step  or  b  is  present  throughout  a  macro  step,  then  a  is  asserted.^^  In  classic  logic,  configuration  Cjq 
would  be  deemed  equivalent  to  the  single  transition  C12  =  -ja  corresponding  to  formula  true  D  a.  As 
mentioned  before,  this  is  inadequate  as  both  do  not  have  the  same  operational  behavior,  since  C'-r,  II  a/b 
fails  whereas  C\2  ||  ^jb  has  step  response  {n,  &}  in  the  empty  environment.  In  our  intuitionistic  semantics, 
the  difference  is  faithfully  witnessed  by  the  2-sequence  M  =  (2,y),  where  V{0)  =df  {<^}  and  V(l)  =df  ^}- 
Here,  M  is  a  sequence  model  of  configuration  Cyg  but  not  of  configuration  Ci2* 
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As  another  example,  consider  configurations  a/a  and  -/a  corresponding  to  formulas  -la  D  a  and  true  D  a, 
respectively.  In  classic  logic  both  are  equivalent.  Yet.  they  differ  in  their  operational  behavior.  The  former 
configuration  fails  in  the  empty  environment  while  the  latter  produces  response  {a}.  In  our  intuitionistic 
semantics,  however,  both  are  distinguished:  -la  D  a  specifies  eventually  a  must  be  present^'’'  as  a/a  expects 
the  environment  to  assert  event  a  in  order  to  avoid  failure.  This  is  different  from  true  D  a  which  specifies 
^^always  a.”  Formally,  formula  -•a  D  a  possesses  two  sequence  models  over  set  {a}:  (i)  2-sequence  {2,Vi), 
where  Vi(0)  =:df  0  and  Fi(l)  =cif  {a},  and  (ii)  1-sequence  (1,1^2)?  where  1^2(0)  =df  However,  according 
to  Def.  3.1,  (2,  Vi)  is  not  a  sequence  model  of  formula  true  D  a.  Finally,  consider  formula  (a  D  b)  A  {bD  a) 
which  corresponds  to  configuration  a/b  ||  b/a.  This  has  also  exactly  two  sequence  models  over  event 
set  {a,  6}:  (i)  2-sequence  (2,  VFi),  where  IVi(O)  =df  0  and  PVi(l)  — df  and  (ii)  l~sequence  (1,  W2)  with 

1^2(0)  =^df  0*  Hence,  the  environment  has  to  provide  at  least  one  event,  a  or  in  order  for  response  {a,  b}  to 
occur,  i.e.,  the  transitions  ajb  and  b/a  cannot  mutually  trigger  each  other,  in  accordance  with  the  principle 
of  causality  [20]. 

Note  that  the  classic  semantics  is  contained  in  the  intuitionistic  one  by  considering  1-sequences  only. 
More  precisely,  every  1-sequence  M  —  (IjV)  may  be  identified  with  a  Boolean  valuation  V'  G  H  — >  B  by 
taking  y'(a)  =  tt  if  and  only  if  a  G  V(0).  Then,  M  ^  C  if  and  only  if  C  classically  evaluates  to  tt  under 
valuation  V\  Moreover,  it  will  be  convenient  to  identify  a  1-sequence  (1,  T^)  with  a  subset  of  events,  i.e.,  the 
set  V (0)  Cfin  H  \  {_L}.  Vice  versa,  a  subset  A  C^n  H  \  {_L}  induces  the  1-sequence  (1,  V),  where  V (0)  =df 
Every  n-sequence  also  contains  a  distinguished  classic  structure,  namely  its  final  state.  We  refer  to  the  final 
state  of  M  =  (n,  V)  as  M*,  i.e.,  M*  =  (1,  V*)  where  a  G  V*(0)  if  and  only  if  a  G  V(n  -  1);  sometimes,  M* 
is  simply  identified  with  the  final  state  ^(n  —  1).  Finally,  we  also  employ  the  notation  M\  for  z  <  n,  to 
denote  the  suffix  sequence  of  M  that  starts  at  state  i.e.,  =df  ~  where  V^{j)  =:df  V(i  +  j).  It 
is  easy  to  show  that  whenever  M  G  SM{C)  then  G  5M(C),  too. 

Proposition  3.2.  Let  C  e  PC  and  M  be  a  n-sequence.  Then,  M  \=  C  implies  \=  C,  for  all  i  <n. 
As  a  consequence,  one  may  always  construct  a  model  in  2SM{C)  when  given  a  model  in  SM{C). 

3.2.  Characterization  of  Pnueli  and  Shale v’s  Semantics.  We  now  show  that  the  step  responses 
of  a  parallel  configuration  C,  according  to  Pnueli  and  Shalev’s  semantics,  can  be  characterized  as  particular 
sequence  models  of  C,  to  which  we  refer  as  response  models.  The  response  models  of  C  are  those  1-sequence 
models  of  C,  i.e.,  subsets  A  H  \  {!},  that  do  not  occur  as  the  final  world  of  any  other  sequence  model 
of  C  except  itself.  Intuitively,  the  validity  of  this  characterization  is  founded  in  Pnueli  and  Shalev’s  closed- 
world  assumption  which  requires  a  response  to  emerge  from  within  the  considered  configuration  and  not  by 
interactions  with  the  environment.  More  precisely,  if  event  set  A  occurs  as  the  final  state  of  an  n-sequence 
model  M,  where  n  >  1,  then  M  represents  a  proper  interaction  sequence  of  the  considered  configuration 
with  its  environment  that  must  occur  in  order  for  C  to  participate  in  response  A.  Hence,  if  there  is  no 
non-trivial  n-sequence  with  M*  =  A,  then  C  can  produce  A  as  an  autonomous  response. 

Definition  3.3  (Response  Model).  LetC  €  PC.  Then,  M  —  (1,V)  G  SM{C)  is  a  response  model  of  C 
if  K*  -  M*  implies  K  -  M,  for  all  K  G  SM{C).  The  set  of  response  models  of  C  is  denoted  RM(C). 

Hence,  response  models  of  C  may  be  identified  with  specific  classic  models  of  C.  Observe,  however,  that 
their  definition  involves  essential  reference  to  the  intuitionistic  semantics  of  configurations. 

Theorem  3.4  (Characterization).  Let  C  e  PC  and  E,A  Cfi^  H.  Then,  C  A  if  and  only  if  A  is  a 
response  model  of  configuration  C  |1  ‘/E. 
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Proof.  Let  us  start  with  a  comment  concerning  our  notation  for  transitions.  In  this  and  in  the  following 
proofs  we  will  often  identify  a  transition  P,  N/B  with  the  intuitionistic  formula  PA->iV  D  B.  More  precisely, 
formulas  P  and  B  stand  for  the  conjunctions  of  the  events  in  sets  P  and  P,  respectively,  and  formula  -~iN 
abbreviates  the  conjunction  of  the  negations  of  all  events  in  set  N.  This  propositional  notation  reflects 
precisely  our  intuitionistic  semantics  of  Def.  3.1.  Since  C  ^  and  only  if  {C  ||  -/E)  A,  it  suffices  to 
show  that  D  Aif  and  only  if  ^  is  a  response  model  of  P,  for  all  P  6  PC  and  A  Cfin  H. 

•  “==»” :  Let  P  ^  A,  and  let  T  be  the  set  of  admissible  transitions  generating  response  A;  in  particular, 
L  ^  A.  We  show  that  ^  is  a  response  model  of  P.  Let  us  first  convince  ourselves  that  A  is  a  model 
of  P,  i.e.,  A\=  D.  Recall  that  we  identify  A  with  the  stabilization  sequence  (1,  V),  where  V  (0)  =df 
Let  t  =  P A-iN  D  P  be  a  transition  from  P.  Suppose  that  A  P  A-^N^  i.e.,  P  C  A  and  iVfl  A  =  0. 
Since  A  is  the  set  of  events  generated  from  T  and  since  t  is  enabled  by  A,  we  conclude  that  t  must 
have  fired,  i.e.,  t  ^T.  This  implies  P  C  A.  Thus,  A  [=  P,  which  proves  A\=^  t.  Since  t  was  arbitrary, 
A  validates  ail  (parallel)  transitions  of  P,  whence  A  |=  P,  as  desired. 

Next  we  show  that  A  is  in  fact  a  response  model,  i.e.,  there  exists  no  non-classic  irredundant 
extension  of  A  that  is  a  model  of  P.  Suppose  K  =  (n,y)  is  such  an  irredundant  n-sequence  model 
of  P  with  K*  =  A  and  iC  |=  P.  If  n  =  1,  then  K  =  A,  and  we  are  done.  Otherwise,  if  n  >  2,  the 
sequence  K  has  at  least  two  states;  in  particular,  we  must  have  ^(n  —  2)  C  A.  Sequence  model  K 
has  the  following  useful  properties: 

(1)  V6  G  n.  A  1=  -i6  implies  K  \=  i.e.,  A  and  K  have  the  same  negated  truths. 

(2)  3a  G  n.  A  1=  a  but  K  ^  a. 

Prop.  (1)  implies  that  K  satisfies  the  negative  triggers  of  all  transitions  that  have  fired  to  produce  A, 
since  those  are  all  valid  in  A  and,  hence,  must  be  valid  in  K.  Now,  we  use  the  fact  that  if  T  is 
the  set  of  transitions  —  or,  more  precisely,  their  corresponding  formulas  —  which  have  fired  to 
produce  A  and  if  are  the  cumulated  negative  triggers,  then  T  A  A  is  a  valid  consequence  in 
intuitionistic  logic.  This  can  be  shown  without  difficulties  as  an  auxiliary  lemma,  using  essentially 
the  deductive  nature  of  the  step  semantics,  e.g.,  by  induction  on  the  number  of  iterations  of  the 
step-construction  procedure.  Thus,  (i)  T  A  -iP  |=  A,  (ii)  P  |=  T,  since  it  is  a  model  of  P,  and 
(iii)  K  j=  “ip,  whence  P  |=  A,  But  this  contradicts  Prop,  (2). 

•  Suppose  M  is  a  response  model  of  P.  We  must  prove  P  M.  To  this  end,  consider  the 
set  Tm  of  all  (parallel)  transitions  of  P  that  are  enabled  in  M.  We  show  that 

(1)  Tm  is  an  admissible  set  of  transitions  in  P  and 

(2)  act(TM)  =  M . 

Note  that  it  is  clear  that  ±  ^  M,  as  M  is  a  sequence  model.  Regarding  Prop.  (2),  take  any  t  G  Tm, 
say  t  =  P  A  D  B.  Since  trigger  P  A  of  t  is  valid  in  M  and  since  M  is  a  model  of  P,  we 
must  have  M  P,  whence  PCM.  Thus,  act(TM)  C  M.  For  the  other  inclusion,  suppose  there 
exists  some  a  G  M  which  does  not  appear  as  an  action  of  any  transition  in  Tm-  We  claim,  then, 
that  we  can  extend  M  to  an  irredundant  2-sequence  model  P  of  P  with  K*  —  M,  To  obtain  such 
a  P,  take  P  =df  (2,  F),  where  V{1)  =df  M  and  V{0)  =df  M  \  {a}.  Now,  we  show  that  P  is  a  model 
of  P.  Take  any  transition  i  of  P,  say  P  A  -^N  D  B.  For  establishing  P  t,  we  follow  the  semantic 
definition  of  transitions  (cf.  Def.  3.1).  Suppose  i  G  {0, 1},  F(l)  Pi  P  =  0,  and  P  C  V{i).  We  have 
to  show  that  P  C  V{i).  Since  F(l)  =  M  and  M  |=  t,  this  follows  immediately  in  case  i  =  1.  So, 
consider  i  =  0.  The  assumptions  P  Q  V{0)  C  V (1)  and  V{1)  Ci  N  =  9  mean  that  t  is  enabled  in 
M  =  F(l),  whence  t  G  Tm  by  construction.  But  then  a  ^  B^  since  all  events  in  P  are  actions 


of  Tm  and  since  a  does  by  assumption  not  appear  as  an  action  in  Tm-  Now,  a  ^  B  finally  means 
S  =  5  \  {a}  C  M  \  {a}  =  V(0).  Hence,  B  CV{0),  as  desired.  This  completes  the  proof  that  K 
is  a  model  of  for  arbitrary  t  G  trans(D),  whence  K  \=  D.  Consequently,  we  have  extended  M  to 
an  irredundant  sequence  model  K  of  D  oi  length  2,  which  contradicts  the  assumption  that  M  is  a 
response  model.  Thus,  M  C  act  (Tm),  and,  putting  our  results  together,  M  —  act(TM)- 
Regarding  Prop.  (1),  it  is  not  difficult  to  prove  that  Tm  —  enabled(J[), 0,Tm)-  Let  t  G  Tm-  We 
claim  that  t  is  enabled  by  the  set  of  actions  of  Tm-  Since,  by  Prop.  (2),  M  is  exactly  the  set  of  all 
actions  generated  by  Tm  and  since  t  is  enabled  in  M,  transition  t  must  be  enabled  by  Tm-  Hence, 
Tm  C  enab!ed(I),0,TM).  Vice  versa,  let  t  be  a  transition  of  D  enabled  in  Tm,  whence  enabled 
in  M.  Then,  t  G  Tm  by  definition.  This  proves  the  first  part  of  admissibility.  It  remains  to  be 
shown  that  there  exists  some  t  G  Tm  \  T  such  that  t  G  enabled(jD,0,T),  for  any  T  C  Tm-  Let 
T  C  Tm  be  a  proper  subset  of  Tm-  Consider  the  set  act(T)  of  actions  generated  from  T,  which 
satisfies  act(T)  C  act(TM)  =  M  by  Prop.  (2).  We  distinguish  two  cases.  First,  if  act(T)  =  M,  then 
by  definition  all  transitions  in  Tm  are  enabled  by  act(T).  Thus,  since  Tm  \  T  is  non-empty,  there 
exists  at  least  one  transition  in  Tm  outside  of  T  that  is  enabled  by  T.  Second,  assume  act(T)  C  M 
is  a  proper  subset.  We  then  define  the  irredundant  stabilization  sequence  K  =df  (2,  V)  as  a  model 
extension  of  M,  such  that  y{0)  =:df  act(T)  and  y(l)  =df  Since  M  =  K*  is  a  response  model  by 
assumption,  K  cannot  be  a  model  of  D,  Thus,  there  exists  some  transition  t,  say  P  A-'N  D  A/m  D 
such  that  K  ^  t.  By  the  semantic  definition  for  transitions  (cf.  Def.  3.1)  this  means  that  there  exists 
an  i  G  {0,1}  such  that  (i)  P  C  V(i),  (ii)  V{l)nN  =  0,  and  (hi)  A  %  V{i).  Since  P  C  V{i)  C  V{1) 
and  V{l)nN  =  0,  transition  Hs  enabled  in  M  =  1/(1).  Thus,  t  G  Tm-  The  remaining  fact  AgV(i) 
implies  t  g  T;  otherwise,  if  G  T  then  A  C  act(T)  =  1/(0),  which  contradicts  A  g  V{i),  since 
V{0)  C  V(z),  for  any  i.  Hence,  t  G  Tm  \  T  and  t  G  enabled (D,  0,T),  as  desired. 

This  completes  the  proof  of  Thm.  3.4.  □ 

Thm.  3.4  provides  a  simple  model-theoretic  characterization  of  step  responses.  For  example,  recall  that 
configuration  a/a  forces  Pnueli  and  Shalev’s  step  construction  procedure  to  fail.  As  shown  before,  the  only 
sequence  model  of  a/a  of  length  1  and  using  only  event  a  is  (1,  V2)-  But  (1,  V2)  is  not  a  response  model  since  it 
is  the  final  world  of  2— sequence  model  (2,  Vi).  Since  ^a  D  a  does  not  have  any  response  model,  transition  a/a 
can  only  fail  in  the  empty  environment.  As  another  example,  re-visit  configuration  a/h  1|  6/a,  for  which  just 
sequence  (1,  W2)  is  a  response  model.  Thus,  (a/6  ||  6/a)  0  is  the  only  response  in  the  empty  environment. 

3.3.  Full  Abstraction  for  Parallel  Configurations.  Sequence  models  are  not  only  elegant  for  char¬ 
acterizing  Pnueli  and  Shalev’s  semantics,  but  also  lead  to  a  fully-abstract  semantics  for  parallel  configurations 
within  parallel  contexts. 

Theorem  3.5  (Full  Abstraction).  For  all  C,D  e  PC,  the  following  statements  are  equivalent: 

1.  SM{C)  =  SM{D) . 

2.  2SM{C)  ^  2SM{D) . 

3.  {C\\R)^eA  if  and  only  if  {D  ||  R)  A,  for  all  R  e  PC  and  E,  ACfinTi. 

4.  RM{C  II  J^)  ^  RM{D  II  R),  for  all  R  G  PC. 

This  theorem  states  that  we  can  completely  determine  the  response  behavior  of  a  parallel  configuration 
in  arbitrary  parallel  contexts  from  its  sequence  models,  or  indeed  its  1-  and  2-sequence  models.  Hence, 
sequence  models  contain  precisely  the  information  needed  to  capture  all  possible  interactions  of  a  parallel 
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configuration  within  all  potential  environments.  To  prove  Thm.  3.5,  we  first  establish  an  auxiliary  lemma 
to  show  that  the  set  of  sequence  models  of  at  most  length  two  contains  the  same  information  as  the  set  of 
sequence  models  of  arbitrary  length. 

Lemma  3.6.  Let  C,D  e  PC,  and  let  K  be  a  stabilization  sequence  of  arbitrary  length  such  that  K  \=  C, 
K  L>,  and  K*  D.  Then,  there  exists  a  2-sequence  M  with  M  \=  C ,  M  D,  and  M*  —  K*. 

Proof.  Let  configurations  C  and  D  and  n-sequence  K  ^  (n,  W)  be  given  as  stated  in  the  lemma.  Clearly, 
n>2,d,'&K  —  K*  would  be  inconsistent  with  the  assumptions  K  D  and  K*  \=^  D.  Now,  letO</<n  —  2 
be  the  largest  I  such  that  Y^  D  and  1=  D.  Consider  the  2-sequence  model  M  =<if  (2,  T^)  where 

y(0)  =df  W{1)  and  K(l)  W{n  -  1),  i.e.,  M  consists  of  the  first  and  the  last  state  of  KK  Obviously, 

M*  —  K*.  We  will  show  that  M  [=  C  but  M  ^  Z).  We  first  prove  that  for  every  transition  say  PA^N  D  A, 

t  ii  and  only  if  M  |=  t .  (3.1) 

From  this  our  claim  follows  because  parallel  configurations  C  and  D  are  conjunctions  of  transitions  and, 
moreover,  \=  C  and  ^  D.  Since  K*  =  W {n  —  1)  —  V{1)  =  M*  we  immediately  have 

K*  1=  t  if  and  only  if  M*  \=t  as  well  as  M  1=  -iTV  if  and  only  if  |=  -iJV . 

By  construction,  W(l)  =  y(0),  whence  they  force  the  same  events,  in  particular  for  P: 

P  C  W{1)  if  and  only  if  P  C  ^(0)  as  well  as  AC  W{1)  if  and  only  if  ^  C  V{0) . 

Taking  all  this  together  implies  Statement  (3.1).  □ 

On  this  basis,  we  are  now  able  to  establish  Thm.  3.5. 

Proof  [Theorem.  3.5]  We  begin  with  the  equivalence  of  Statements  (1)  and  (2).  It  is  obvious  that 
SM(C)  =  SM{D)  implies  2SM{C)  =  2SM{D),  as  1-  and  2-sequence  models  are  just  special  sequence  mod¬ 
els.  For  the  other  direction,  assume  w.l.o.g.  that  SM{C)  2  SM{D).  Hence,  there  must  exist  a  stabilization 
sequence  K  such  that  K  ^  C  and  if  ^  D.  In  the  case  K*  ^  D,  we  obtain  2SM{C)  2  2SM{D)  since 
K*  1=  C  and  since  K*  is  a  classic  structure.  In  the  case  K*  D,  we  apply  Lemma  3.6  which  yields  a 
2-sequence  model  M  satisfying  M  Y=  C  and  M  Y^  D.  Thus,  2SM{C)  2  2SM{D),  too.  The  equivalence 
of  Statements  (3)  and  (4)  is  an  easy  consequence  of  Thm.  3.4.  It  remains  to  establish  the  equivalence  of 
Statements  (2)  and  (4). 

•  «=>”:  Suppose  that  2SM{C)  =  2SM{D)  and  that  R  €  PC.  Then,  A^RM{C  ||  R)  implies  A\=C 
and  A  R.  Since  A  is  a  classic  sequence  model  of  C,  it  must  be  a  sequence  model  of  D  and, 
hence,  of  P  ||  R.  We  claim  that  A  actually  is  a  response  model  of  P  |1  R.  Suppose  it  was  not. 
Then,  there  would  exist  an  irredundant  sequence  model  K  =  {n,V)  oi  D  ||  R  satisfying  n  >2 
and  K*  =V{n  —  l)  =  A.  Since  K  is  irredundant,  it  contains  the  2-sequence  M  =  (2,  W),  where 
VF(0)  =^f  V{n  -  2)  and  W{1)  =df  V{n  -  1).  By  the  properties  of  intuitionistic  truth  (cf.  Def.  3.1), 
K  \=  D  \\  R  implies  M  \=  D  \\  R,  Hence,  there  exists  a  2-sequence  model  M  with  M*  =  A  and 
M  1=  P  II  R.  Since  2SM(C)  =  2SM[D),  this  implies  M  |:^  C  1|  P,  contradicting  the  assumption 
that  A  is  a,  response  model  of  C  ||  P. 

•  ;  This  proof  direction  needs  slightly  more  work  as  it  involves  the  construction  of  a  discriminat¬ 
ing  context.  We  start  off  with  the  assumption  2SM{C)  Y  W.l.o.g.,  let  M  be  a  stabilization 

sequence  of  length  one  or  two  such  that  M  j=  (7  and  M  ^  P,  Moreover,  define  A  =df  We  now 
distinguish  two  cases. 
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1.  D.  Consider  the  context 


R  =df  II  {L{Q)/A  I  (n,L)  €  2SM{C)  and  L*  =  A} . 


Observe  that  R  is  en  parallel  composition  of  finitely  many  transitions  as  A  is  finite.  Moreover, 
R  is  non-empty  since  M  (0) /A  is  a  transition  in  R.  It  is  immediate  that  A  cannot  be  a  response 
model  D  \\  R  because,  by  assumption,  it  is  not  even  a  model  of  D,  We  are  done  if  we  can 
show  that  A  G  RM{C  |1  i^).  Since  every  transition  of  R  is  of  the  form  L(0)/A,  we  have  A\=  R. 
Also,  A  \=^  C  holds  because  M  \=^  C  and  A  —  M*.  Hence,  A  \=  C  \\  R.  Moreover,  it  is  not 
difficult  to  show  that  there  cannot  exist  a  2-sequence  K  such  that  K*  =  A  and  K  \=  C  \\  R, 
If  such  K  would  exist,  it  would  have  to  satisfy  K{0)  C  A  and  |=  C,  Hence,  by  construction, 
transition  AT (0) /A  is  a  parallel  component  of  R.  This  means  K  ^  R,  since  K  ^  K{0)/A,  which 
follows  from  AT (0)  C  K{0)  and  A  But  K  ^  R  would  be  a  contradiction  to  K  [=  C  \\  R. 

This  shows  that  there  exists  no  proper  weakening  K  of  A  that  is  still  a  model  of  C  \\  R.  Thus, 
A  is  a  response  model  of  C  ||  jR. 

2.  A\=  D,  Since  M*  =  A  and  M  ^  D.  this  assumption  implies  that  M  is  irredundant,  i.e.,  it  is 
a  2-sequence  with  M(0)  C  M(l).  In  this  case,  we  construct  a  configuration  R  such  that  A  is 
a  response  model  of  D  ||  but  not  of  C  1|  R,  Consider  an  arbitrary  stabilization  sequence  K. 
We  define  transitions  as  follows;  recall  that  M  is  a  2-sequence,  whence  M(l)  =  M*  =  A: 


t 


M  _ 

K  — df 


ii:(0)/M(0)  ifi^(0)CM(0) 

K  (0)  /M(l)  otherwise. 


Again  the  sets  K{0),  M(0),  and  M(l)  are  finite.  These  transitions  have  the  property  that 
M  fy  for  all  K,  and  K  ^  ,  for  all  K  such  that  K{0)  ^  M(0),  K{0)  7^  M(l),  and 

—  M(l)  =  A.  The  context  configuration  R  is  now  formed  as 


R  II  {tf  I  L  6  2SM{D)  and  L*  =  A}  . 


As  before,  there  is  only  a  finite  number  of  L  with  L*  =  A,  as  A  is  finite.  It  follows  from 
the  above  that  M  ^  R  and  also  A  |=  H.  Now  we  compare  the  response  models  of  C  ||  R 
and  D  1|  R.  Obviously,  A  ^  RM{C  1|  R),  since  M  is  irredundant  with  M*  =  A,  and  also 
M  fy  C  and  M  fy  i?,  whence  M  fy  C  ||  K.  We  claim  that  A  G  RM{D  ||  R).  First  of  all, 
A  1=  D  II  jR.  Now  suppose  there  exists  an  irredundant  stabilization  sequence  K  such  that 
K*  =  A  Mid  K  \=^  D  \\  R,  We  may  assume  that  K  has  length  2  according  to  Prop.  3.2.  By 
construction,  R  then  contains  transition  whence  K  \=  .  However,  this  is  impossible 

unless  K{0)  =  M(0)  or  K{0)  =  M(l).  If,  however,  K{0)  =  M(0),  then  K  ^  D.  This  follows 
from  K*  =  M{1)  —  A  and  the  assumption  M  ^  D,  as  one  can  show  without  difficulties.  So, 
we  must  have  K(0)  =  M(l),  Since  K*  =  A  =  M(l)  and  since  K  is  irredundant,  we  conclude 
K  —  A,  Thus,  there  cannot  exist  a  non-trivial  weakening  of  A  that  is  a  model  of  D  |1  R.  Hence, 
A  G  RM{D  II  R),  as  desired. 

This  completes  the  proof  of  Thm.  3.5.  □ 


3,4.  Characterizatioii  of  Sequence  IVIodels.  Thm.  3.5  does  not  mean  that  every  set  of  stabilization 
sequences  can  be  obtained  from  a  parallel  configuration.  In  fact,  from  the  model  theory  of  intuitionistic  logic  it 
is  known  that  in  order  to  specify  arbitrary  linear  sequences,  nested  implications  are  needed  [19].  Statecharts 
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configurations,  however,  only  use  first-order  implications  and  negations.  Therefore,  we  may  expect  the 
semantics  of  configurations  to  satisfy  additional  structural  properties  due  to  the  limited  expressiveness  of 
configuration  formulas.  In  fact,  it  turns  out  that  the  sets  SM{C)  are  closed  under  sub-sequences,  refinement, 
and  sequential  composition.  These  notions  are  defined  as  follows: 

•  The  m-sequence  M  =  {m,V)  is  a  sub-sequence  of  the  n-sequence  N  =■  (n,T^),  written  M 

there  exists  a  mapping  /  :  [0, . . .  ,  m  —  1]  [0, . . .  ,  n  —  1]  such  that  V{i)  =W (/(O)?  for  all  i  <  m, 

and  V(m  -  1)  =  W{n  -1).  Note  that  /  must  be  strictly  monotonic  since  V  and  W  are  strictly 
increasing.  In  other  words,  M  <  N  holds  if  M  is  obtained  from  N  by  dropping  some  states  while 
preserving  the  final  state. 

•  The  /^-sequence  K  =  {k,U)  is  a  refinement  of  the  m-sequence  M  =  {m,V)  and  the  n-sequence 

N  —  (n,  W),  written  K  :<  M  n  N,  ii  there  exist  mappings  /m  •  [0, . . .  , -  1]  [0, . . .  ,m  —  1] 

and  /iv  :  [0, . . .  ,  A:  —  1]  [0, . . .  ,  n  —  1]  such  that  U{k  -  1)  =  V(rn  ~  1)  =  W{n  —  1)  and  U (i)  = 

y  (/mCO)  ^  ^ (/iv(0)?  ^01 1  <  k.  Intuitively,  K  <  M  r\  N  holds  if  M,  N,  and  K  have  the  same  final 
state  and  if  every  state  of  K  arises  from  the  intersection  of  a  state  from  M  with  one  from  TV. 

•  Finally,  the  sequential  composition  of  M  =  {m,V)  and  TV  =  (n,  W),  such  that  V{m-1)  CW{0),  is 
the  sequence  M  ;  N  =  {m  n,U)  where  U{i)  =  V(i),  for  i  <m,  and  U{i)  —W{i  —  m),  otherwise. 

One  can  easily  verify  that  the  set  SM{C),  for  every  parallel  configuration  (7  G  PC,  is  closed  under  sub¬ 
sequences,  refinement,  and  sequential  composition.  In  the  finite  case  the  converse  is  also  valid,  i.e.,  every  finite 
set  of  stabilization  sequences  which  is  closed  under  sub-sequences,  refinement,  and  sequential  composition  is 
the  set  of  sequence  models  of  some  parallel  configuration,  relative  to  some  fixed  finite  set  of  events.  However, 
instead  of  working  with  sets  of  sequence  models,  we  will  present  an  equivalent  characterization  that  is  much 
more  compact  and  that  employs  simple  finite  lattice  structures  which  we  refer  to  as  behaviors. 

Definition  3.7  (Behavior).  A  behavior  C  is  a  pair  {F,I),  where  F  C  and  I  is  a  function  that 

maps  every  B  e  F  to  a  set  I{B)  C  2^  of  subsets  of  B,  such  that 

1.  I  is  monotonic,  i.e.,  Bi  C  B2  implies  I{Bi)  C  /(B2), 

2.  I{B)  is  closed  under  intersection,  i.e.,  Bi,B2  £  I{B)  implies  Hi  D  ^2  C  I{B),  and 

3.  Be  I{B). 

If  F  —  {A},  for  some  A  H,  then  C  is  called  A-bounded,  or  simply  bounded  if  A  is  understood. 
Moreover,  C  is  directed  if  F  and  VHi,H2  €  F  3H  e  F.  Bi  C  B  and  B2  C  B. 

Intuitively  speaking,  the  first  component  F  of  a  behavior  C  =  (F,  I)  captures  the  possible  final  responses 
of  C.  For  every  such  final  response  B  e  F,  the  event  sets  I{B)  C  2^  represent  the  states  of  all  stabilization 
sequences  of.  (7  that  end  in  B.  Any  strictly  increasing  sequence  that  moves  only  through  states  I{B)  and 
ends  in  B  is  considered  a  stabilization  sequence  of  the  behavior.  In  case  I{B)  =  {B}  set  B  is  an  autonomous 
response  of  C.  This  interpretation  is  confirmed  below  in  Lemma  3.9  for  those  behaviors  that  are  obtained 
from  parallel  Statecharts  configurations. 

It  is  not  difficult  to  show  that  the  pairs  of  initial  and  final  states  occurring  together  in  the  sequence  models 
of  (7  G  PC  induce  a  behavior.  More  precisely,  the  induced  behavior  Beh{C)  of  C  is  the  pair  {F{C),I{C)) 
which  is  defined  as  follows: 

F((7)  =df  C  n  I  3{n,V)  G  SM{C).  V{n  -l)  =  E}  and 
I{C){B)  =df  {ECB  \  3{n,V)  e  SM{C).  V{0)  =  E  and  V{n  -1)  =  B}. 


13 


From  the  property  of  sub-sequence  closure  we  know  that  the  initial  and  final  states  of  any  sequence  model 
of  C  form  a  2-sequence  model  of  C.  Thus,  we  can  also  define  behavior  (F(C'),/(C))  directly  from  2SM{C): 

X  G  F{C)  if  and  only  if  X  G  2SM[C) ,  and 
X  G  I[C){Y)  if  and  only  if  (X,  Y)  G  2SM{C) , 

where  we  identify  a  1-sequence  (1,  y)  with  the  subset  V (0)  and  a  2-sequence  (2,  V)  with  the  pair  (F (0),  F (1)). 
Prom  our  construction  it  is  clear  that  Beh{C)  is  uniquely  determined  by  SM{C)  or,  in  fact,  by  2SM{C). 

Lemma  3.8.  For  C  G  PC,  Beh{C)  is  a  behavior  and,  if  1.  does  not  occur  in  C,  then  Beh{C)  is  directed. 

Proof.  Observe  that,  for  all  stabilization  sequences  (n,  V),  we  have  J_  ^  —  1)  by  definition.  Hence, 

F{C)  C  2^\{-^>. 

First,  we  show  that  I{C)  is  monotonic.  Let  Bi,B2  €  F{C)  such  that  Bi  C  B2,  and  let  E  G  I{C){Bi).  If 
Bi  =  B2  nothing  needs  to  be  shown,  i.e.,  we  have  E  G  I{C){B2)  trivially.  So,  suppose  Bi  C  H2.  This  means 
that  for  some  {n,V)  G  SM{C),  both  y(0)  =  E  and  V{n-l)  ^  Bi  hold.  We  claim  that  the  stabilization 
sequence  (n  +  1,  W)  defined  by  W (i)  =dfV{i),  for  0  <  z  <  n,  and  W(n)  =df  B2  is  a  model  of  C,  which  then 
entails  E  G  /(C)  (H2).  To  prove  (n4- 1,  W)  G  SM{C)  we  proceed  by  contradiction.  Assume  that  there  exists 
a  transition  t,  say  PA-^N  D  D,  of  C  such  that  (n  +  l,TF)  ^  t.  This  implies  that  there  must  exist  some  i  <  n 
such  that  P  CW{i),  NnW{n)  =  0,  and  D  gW{i).  Since  B2  G  F{C),  set  B2  is  the  final  state  of  a  sequence 
model  of  C.  Thus,  by  the  properties  of  intuitionistic  truth,  the  singleton  sequence  B2  must  be  a  model  of  C , 
too.  This  means  that  the  final  state  W(n)  —  B2  o^W  must  satisfy  t,  i.e.,  D  C  W{n).  Hence,  i  <  n  and 
W(i)  ==  V{i).  Now,  NnB2  =  Nn  W(n)  =  0  and  Bi  C  B2  implies  X  fl  y(n  -  1)  =  iV  n  Hi  =  0.  Prom  this 
we  conclude  (n,  V)  ^  t  which  contradicts  assumption  (n,  V)  G  SM{C).  Hence,  we  have  (n  + 1,  W)  G  SM{C) 
and,  as  a  consequence,  IF(0)  =  F(0)  =  E  and  W{n)  =  B2,  i.e.,  E  G  /((7)(H2).  This  completes  the  proof 
that  I{C)  is  monotonic. 

Second,  we  verify  that  I{C){B)  is  intersection  closed,  for  all  B  G  F{C).  Let  ^1,^2  G  I{C){B)  and 
sequences  (ni,Vi)  G  SM{C)  and  (n2,y2)  ^  SM{C)  such  that  Vi{ni  -  1)  =  ^2(7^2  -  1)  =  B,  Ei  =  Vi(0), 
and  E2  =  14(0).  Consider  the  2-sequence  (2,27),  where  17(0)  =df  Ei  n  E2  and  27(1)  =df  B.  We  claim  that 
(2, 27)  G  SM{C).  Suppose,  by  way  of  contradiction,  that  t  is  a  transition  of  C,  say  P  A  -liV  D  D,  for  which 
(2,27)  ^  t.  Since  B  -  27(1)  and  B  G  F{C),  i.e.,  H  is  a  singleton  model  of  C,  we  know  that  27(1)  |=  t. 
Hence,  any  violation  of  t  by  (2,27)  can  only  occur  if  P  C  27(0),  X  fl  1/(1)  =  X  H  P  =  0,  and  D  g  27(0). 
Since  27(0)  =  Pi  n  P2  it  follows  that  P  C  Pi  and  P  C  P2.  Furthermore,  P  g  17(0)  implies  D  g  Ei,  for 
z  =  1  or  i  =  2.  In  either  case,  the  fact  that  X  Pi  P  =  0,  as  H  is  the  final  state  of  {ni,Vi)  for  both  i  G  {1, 2}, 
implies  (ni,Vi)  ^  t  which  contradicts  our  assumption.  Thus,  (2,27)  G  SM{C),  as  desired.  By  construction 
we  have  P(0)  =  Pi  nP2  and  27(1)  =  P,  whence  Pi  nP2  G  I{C){B).  This  completes  the  proof  that  /(<7)(P) 
is  intersection  closed. 

Finally,  we  show  that  Beh{C)  is  directed  if  failure  event  ±  does  not  occur  in  C.  Let  Pi,  P2  G  F{C),  i.e., 
Vi(ni  -  1)  Pi  and  V2{n2  -  1)  =  P2,  for  some  sequence  models  (ni,yi),  {712,  V2)  G  SM{C).  Now,  consider 
the  1-sequence  (Ij’F),  where  y(0)  =df  Pi  U  P2  U  act(triggered(C,  Pi  U  P2)),z.e.,Pi  C  17(0)  and  P2  C  17(0). 
Note  that  17(0)  C  H  \  {±}  and  that  ±  is  by  assumption  not  included  in  any  action.  Hence,  (1,17)  is  a 
stabilization  sequence.  Moreover,  (1,17)  is  clearly  a  model  of  each  transition  of  C  and,  thus,  of  C.  This 
implies  (1,17)  G  SM{C)  and,  further,  17(0)  G  F{C).  It  can  also  be  seen  that  act(trans((7))  C  H  \  {±}  is  a 
classical  model  of  C,  whence  P  ^  0.  Thus,  Beh{C)  is  directed,  which  finishes  the  proof.  □ 
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The  relationship  between  Beh{C)  and  SM{C)  is  further  clarified  by  the  following  lemma  which  illustrates 
how  Beh{C)  may  be  uniquely  determined  from  SM{C). 

Lemma  3.9.  Let  C  £  PC  be  a  parallel  configuration, 

1.  For  every  stabilization  sequence  (uyV),  we  have  {n,V)  €  SM{C)  if  and  only  ifVin  —  l)  G  F{C) 
and  V{i)  G  I{C){y{n  —  1)),  for  all  i  <n. 

2,  Be  RM{C)  if  and  only  if  B  e  F{C)  and  I{C){B)  =  {B}, 

According  to  Part  (1),  a  stabilization  sequence  M  is  an  element  of  SM{C)  if  and  only  if  it  is  a  sequence  of 
states  from  I{C){B)  such  that  B  G  F{C)  and  B  is  the  final  state  of  M.  This  implies  that  not  only  is  Beh{C) 
uniquely  determined  by  SM{C)  but  also,  vice  versa,  SM{C)  is  uniquely  determined  by  Beh{C). 

Proof  [Lemma  3.9]  Part  (2)  follows  immediately  from  the  definition  of  Beh{C)  and  RM{C).  In  addition, 
direction  of  Part  (1)  is  trivial  as  it  follows  from  the  definition  of  Beh{C).  To  obtain  the  reverse 

direction  of  Part  (1),  we  assume  that  V(n  -  1)  G  F{C)  and  V{i)  G  I{C)iy{n  —  1)),  for  all  i  <  n.  Now, 
suppose  {n,V)  0  SM{C),  i.e.,  there  exists  a  transition  say  P  A  D  D,  oi  C  satisfying  (n,  V)  ^  t.  Let 
i  <  nhe  some  index  with  P  C  V{i),  N  nV{n  -  1)  =  Hi,  and  D  %  V{i).  Note  that  such  an  i  must  exist 
since  (n,P)  refutes  t.  From  the  assumption  V{i)  G  I{C){V(n  —  1))  we  infer  the  existence  of  a  stabilization 
sequence  {m,W)  G  SM{C)  with  W{0)  =  Vii)  and  W(m  -  1)  =  V{n  -  1).  But  this  implies  P  C  W{0), 
n  PF(m  —  1)  =  0,  and  D  g  IF(0),  which  means  (m,  W)  ^  t  in  contradiction  to  (m,  W)  G  SM{C),  Hence, 
{n,V)  G  5M(C),  as  desired.  □ 

As  a  consequence  of  Lemma  3.9,  we  obtain  that  Beh{C)  contains  the  same  semantic  information  as  SM (C). 

Theorem  3.10  (Characterization).  \/C,D  e  PC,  Beh{C)  =  Beh{D)  if  and  only  if  SM{C)  =  SM{D), 

Proof  Direction  follows  immediately  from  the  fact  that  the  behavior  of  a  configuration  is  derived 

from  its  sequence  models.  The  other  direction  “=>”  is  an  implication  of  Lemma  3.9(1).  □ 

In  conjunction  with  Thm.  3.5,  we  conclude  that  equivalence  in  arbitrary  parallel  contexts  can  equally  well 
be  decided  by  behaviors:  Beh{C)  =  Beh{D)  if  and  only  if  (C  ||  R)  ^  is  equivalent  to  {D  ||  R)  A, 
for  all  R  e  PC  and  E,A  C^n  H.  The  advantage  of  Beh{C)  over  SM{C)  is  that  the  former  provides  an 
irredundant  representation  of  parallel  configurations.  Moreover,  every  finite  behavior  can  be  represented 
exactly.  We  call  a  behavior  C  -  (F,  I)  A-finite,  for  A  Cfin  H,  if  C  is  uniquely  determined  by  the  subsets  of  A, 
i.e.,  B  e  F  if  and  only  if  F  D  A  G  F,  and  X  G  I{B)  if  and  only  if  X  Pi  A  G  I{B  Pi  A).  If  P  is  A-finite,  then 
the  A~restriction  C\a  =df  {F\a,I\a):  such  that  F\a  =df  F  Pi  2^  and  I\a{B)  ~  I^(F),  is  finite  and  contains 
complete  information  about  C.  For  representation  purposes  it  is  convenient  to  confuse  an  A-finite  behavior  C 
with  its  finite  restriction  C|a.  In  a  similar  vein,  we  identify  an  A-bounded  behavior  V  =  ({A},/)  with  the 
A-finite  behavior  generated  by  it,  i.e.,  the  uniquely  defined  behavior  C  such  that  C\a  =  We  frequently 
use  these  implicit  restrictions  and  extensions  in  our  examples  without  further  mention.  The  exactness  of 
behaviors  as  models  of  configurations  is  now  an  implication  of  the  following  theorem. 

Theorem  3.11  (Completeness).  C  is  an  A-finite  (directed)  behavior  if  and  only  if  there  exists  a  con¬ 
figuration  C  G  PC  over  events  A  ( not  using  failure  event  _L )  such  that  C  =  Beh  (C) , 

Proof  Direction  of  Thm.  3.11  is  essentially  the  statement  of  Lemma  3.8.  A-finiteness  is  a  trivial 

consequence  of  the  fact  that  the  semantics  of  a  configuration  only  depends  on  the  events  mentioned  in  it. 
We  may  thus  focus  on  direction 
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Let  C  =  (F^I)  be  an  j4-finite  behavior.  We  are  going  to  construct  a  configuration  C  over  events  A 
such  that  Beh{C)  =  C.  Since  Beh{C)  =  {F{C)^I{C))  is  also  ^-finite,  we  can  prove  Beh{C)  —  C  simply  by 
establishing  that  their  ^-restrictions  are  identical.  Thus,  we  only  need  to  consider  subsets  of  A,  i.e.,  prove 
F  0  2^  —  F{C)  n  2^  and  then  I{Y)  =  I{C){Y)  under  the  additional  assumption  that  Y  C  A.  Moreover, 
depending  on  whether  C  is  directed  or  not,  we  can  make  further  assumptions  about  A.  First,  if  C  is  non- 
directed,  then  we  assume  that  ±  E  A.  This  is  permitted  since  i4-finiteness  is  not  affected  by  adding  ±  to  A. 
Alternatively,  if  C  is  directed,  then  we  may  assume  A  E  F,  Since  F  ^  0,  the  set  Fn2'^  must  be  non-empty, 
too,  and  by  directedness  must  contain  a  greatest  element  A*  E  F  H  2^.  Then,  C  is  also  A*-finite.  Thus,  if 
A  ^  F,  we  may  use  A*  instead  of  A. 

Our  construction  of  configuration  C  uses  the  following  uniform  construction  of  transitions.  We  associate 
with  every  E  C  B  C  A,  such  that  B  E  F,  an  event  set  (F,  F)*  C  11  defined  by 

(F,F)*  =df  f]{E'  E  I{B)  \ECE'CB}. 

Note  that  this  intersection  is  always  non-empty  since  E  C  B  C  B  and  B  E  /(F),  by  Prop.  (3)  of  behaviors 
(cf.  Def.  3.7).  Intuitively,  {F,F)*  is  the  “best  upper  approximation”  of  stabilization  sequence  (2,y),  where 
1/(0)  =df  E  and  y(l)  =df  F,  in  C.  By  construction  and  by  Prop.  (2)  of  behaviors, 

F  C  (F,  F)*  C  F  as  well  as  (F,  F)*  €  /(F) . 

The  left-hand  inclusion  F  C  (F,  F)*  becomes  an  equality  (F,  F)*  =  F  precisely  if  F  G  /(F).  The  right- 
hand  inclusion  (F,  F)*  C  F  is  an  equality  (F,F)*  =  F  if  and  only  if  /(F)  =  {F}.  Now,  we  define  a 
configuration  C  G  PC  from  C  as  follows: 

C  =::df  ||{(FU(A\F))/(F,F)*  IFCFCAandFGF} 

II  {(Fu(T\F))/(A\F)  I  FC  AandF^F}. 

This  is  a  finite  configuration  since  all  sets  involved  are  finite  and  subsets  of  A,  Observe  that  if  A  does  not 
contain  ±,  then  configuration  C  does  not  use  ±  either.  Hence,  if  C  is  directed,  then  C  is  T-free,  since  by 
our  assumptions  A  G  F  holds  which  implies  _L  ^  A.  On  the  other  hand,  if  C  is  non-directed,  our  assumption 
±  G  A  has  the  effect  that  configuration  C  actually  uses  event  ±  in  its  transitions. 

The  claim  now  is  that  Beh{C)  =  C,  i.e.,  (F(C'),/(C))  =  (F,/>.  As  discussed  above,  by  A-finiteness, 
we  can  restrict  ourselves  to  subsets  of  A.  Moreover,  whenever  stabilization  sequences  occur,  it  suffices  by 
Lemma  3.6  to  consider  those  of  at  most  length  two.  For  convenience,  a  sequence  (1,1^)  is  identified  with 
the  redundant  sequence  (2,  W),  where  W(0)  =df  1^(1)  — df  P^(O)*  P^r  stabilization  sequences  (2,T/),  we  also 
write  (y(0),y(l)). 

•  We  first  show  F{C)n2^  =  Fr\2^  and  start  with  Fn2^  C  F((7)  0  2^.  Suppose  F  C  A  is  such  that 
Y  ^  F(C'),  i.e.,  there  exists  no  X  C  Y  with  (X, F)  G  2SM{C).  In  particular,  (F,F)  ^  2SM{C). 
Hence,  there  is  a  transition  t  in  C  which  is  falsified  by  (F,  F).  If  t  —  (F  U  (A  \  F))/(A  \  F),  for  some 
F  C  A  and  F  ^  F,  we  must  have  Y  =  whence  F  ^  F.  In  case  t  =  (F  U  (A  \  B))I{E^BY^  for 
some  F  C  F  C  A  and  F  G  F,  we  obtain  F  C  F  and  F  H  (A\  F)  =  0  and  (F,  F)*  g  F.  The  second 
property  F  D  (A  \  F)  =  0  is  equivalent  to  F  C  F.  Thus,  together  with  the  first  property,  we  have 
F  C  F  C  F,  Now,  suppose  F  G  F.  By  Prop.  (1)  of  behaviors  (monotonicity),  /(F)  C  /(F).  This 
implies  (F,F)*  C  (F,F)*  C  F  which  would  contradict  the  third  property  (F,F)*  g  F.  Hence, 
F  g  F,  as  desired.  This  proves  F  fl  2^  C  F(C)  fl  2^. 
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For  the  other  inclusion  F(  (7)  n  2^  C  Fn2^,  supposed  €  F{C)  and  y  C  A.  Thus,  (Y^Y)  G  2SM{C). 
If  y  ^  F,  then  C  contains  transition  t  =  (y  U  (yf  \  y)/(^ \  y).  But,  as  one  checks  without  difficulty, 
(y,y)  ^  t  which  contradicts  (y,  y)  G  2SM{C).  Since  Y  ^  F,  we  either  have  y  C  A,  or  y  =  ^  and 
j_  G  A  by  our  assumption.  Hence,  Y  €  F  which  establishes  F  D  2^  C  F{C)  O  2^. 

•  We  show  /(C) (y)  =  /(y),  for  all  y  G  F  D  2^  =  F(C)  fl  2^.  Fix  any  y  G  F  H  2^.  We  first  prove  the 
inclusion  I{Y)  C  /(C)(y).  To  this  end,  let  X  G  I{Y)  be  given.  We  claim  that  (X,  y)  G  2SM{C) 
which  implies  X  G  /(C)  (y).  In  order  to  show  that  (X,y)  is  a  2~sequence  model  of  C  it  will  be 
convenient  to  use  indices  to  refer  to  the  states  X  and  y  of  this  sequence  and  to  use  the  notation 
(y(0),y(l))  =df  (X,y).  Now,  consider  any  of  the  transitions  t  =  {E  \J  {A\B))/{E,B)* ,  where 
E  C  B  C  A  and  B  e  F.  We  check  that  (y(0),  y(l))  |=  t  following  the  definition  of  our  semantics. 
If  V’(l)  n  (A  \  F)  7^  0  or,  for  no  z  G  {1,2},  E  C  V{i),  then  we  are  done  immediately.  So  assume 
y(l)  n  (A  \  F)  =  0  which  is  the  same  as  y(l)  C  F,  and  choose  any  i  G  {0, 1}  such  that  E  CV (z). 
Hence,  we  have  F  C  y(z)  C  y(l)  C  F.  By  Prop,  (1)  of  behaviors,  Y  y(l)  C  F  implies 
/(y)  C  /(F).  Furthermore,  we  have  y(z)  G  I{Y).  In  case  z  =  0,  this  follows  from  Prop.  (3)  of 
behaviors;  in  case  z  =  1,  this  is  the  assumption  X  G  /(y).  But  I{Y)  C  /(F)  and  y(z)  G  I{Y)  implies 
y(z)  G  /(F).  Hence,  V{i)  is  one  of  the  E'  in  the  intersection  (F,  F)*  =  f]{E^  E  /(F)  |  F  C  F^  C  F}, 
from  which  we  conclude  (F,  F)*  C  y(z).  This  establishes  (y(0),  V’(l))  |=  t.  Now  consider  any  of  the 
other  transitions  t  =  (FU(A  \  F))/(A\F),  for  F  C  A  with  F  ^  F.  To  show  (y(0),  y(l))  |=  t,  again, 
we  just  need  to  consider  the  case  y(l)  D  (A  \  F)  —  0  or,  equivalently,  y(l)  C  F,  and  any  z  G  {0, 1} 
such  that  F  C  y(z).  Then,  we  have  F  C  y(z)  C  y(l)  C  F.  This  yields  Y  =  y(l)  =  F  which  is  a 
contradiction  to  the  assumptions  y  G  F  and  F  ^  F  by  the  construction  of  t.  Hence,  the  proof  of 
(y(0),y(l))  \=t  is  complete.  We  are  thus  finished  showing  X  G  /(C)(y),  whence  I{Y)  C  I{C){Y). 
For  the  other  inclusion,  /(C) (y)  C  /(y),  let  X  C  A  be  given  such  that  X  ^  I{Y),  We  establish 
(X,  y)  ^  (XU(T^)) /(X,  y)"  which  is  a  transition  of  C,  as  y  G  F  by  assumption.  But  this  follows 
from  the  fact  that  X  c  (X,  y)*,  because  X  0  /(y),  and  (A  \  y)  fl  y  =  0.  Thus,  (X, y)  ^  2SM (C), 
whence  X  ^  /(C)  (y). 

This  completes  the  proof  of  Thm.  3.11,  □ 

Summarizing,  behaviors  Fe/i(C),  for  parallel  configurations  C,  yield  a  very  simple 
model  representation  of  SM(C).  For  any  given  F  G  F(C),  the  set  /(C)  (F)  is  a 
finite  (0,  C)  semHattice  with  maximal  element  F.  For  every  F'  3  F,  the  semi¬ 
lattice  /(C) (F)  is  a  full  sub-lattice  of  /(C) (F').  As  a  simple  example,  consider  the 
configuration  C  =df  ^c/a  |1  ac/b  |1  a/a  ||  b/b  ||  c/c  over  events  A  =  (a,  &, c}. 

Its  behavior  Beh{C)  is  A-finite  and,  when  restricted  to  the  relevant  events  A,  may 
be  depicted  as  in  Fig.  3.1.  Since  F(C)  =  {A}  is  a  singleton  set  we  only  have  one 
(n,  C)  semi-lattice  /(C) (A).  Moreover,  SM (C)  is  precisely  the  set  of  sequences  whose 
worldwise  intersection  with  A  are  paths  in  the  diagram  ending  in  top  element  A. 

4.  Frilly— abstract  Semantics.  We  have  seen  in  the  previous  section  that  the  behavior  of  a  parallel 
configuration  P  in  all  parallel  contexts  is  captured  by  its  set  of  sequence  models  SM{P)  or,  equivalently, 
its  behavior  Beh{P),  This  yields  a  denotational  semantics  in  which  parallel  composition  is  intersection,  i.e., 
SM{Pi  II  P2)  =  SM{Pi)  n  5M(F2).  Similarly,  Beh{Pi  1|  P2)  =  Beh{Pi)  fl  Fe/i-(F2),  where  the  intersection  is 
taken  pointwise.  The  next  section  shows  how  this  semantics  can  easily  be  extended  to  work  with  arbitrary 
contexts,  thereby  completely  characterizing  the  semantics  of  PC.  However,  the  question,  which  still  needs  to 


{a}  {b}  (c) 


0 

Fig.  3.1.  {a,6,c}- 
bounded  behavior 
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be  answered,  is  how  to  capture  the  semantics  of  the  choice  operator  +.  In  view  of  the  fact  that  ||  is  logical 
conjunction  A  in  the  intuitionistic  logic  of  stabilization  sequences,  it  would  be  natural  to  expect  that  + 
corresponds  to  logical  disjunction  V  over  sequence  models.  Unfortunately,  the  choice  operator  +  is  not  a 
disjunction  on  sequence  models  but  on  behaviors,  i.e.,  on  sets  of  sequence  models. 

As  a  simple  counterexample,  for  why  logical  disjunction  on  sequence  models  does  not  suffice,  consider 
transitions  a/b  and  h/a.  Moreover,  assume  that  the  semantics  of  a/&  H-  h/a  would  be  completely  described 
by  formula  (a  D  6)  V  (6  D  a),  when  interpreted  over  stabilization  sequences,  i.e.,  SM{{a  D  6)  V  (&  D  a))  = 
SM{a  D  b)  U  SM{b  D  a).  Now,  as  one  can  show,  we  have  K  \=  (a  D  b)  or  K  {b  D  a),  for  every 
stabilization  sequence  K.  Thus,  SM {{a  D  b)  W  {b  D  a))  contains  all  stabilization  sequences,  whence  the 
formula  (a  D  6)  V  (6  D  a)  is  a  logical  tautology.  In  terms  of  sequence  models  alone,  a/b  -\-  b/ a  would  be 
equivalent  to  the  empty  configuration  0.  But  obviously  both  configurations  have  different  response  behavior, 
as,  e.g.,  (a/b  -f  b/a)  {o,6}  but  only  0  Also,  the  obvious  idea  of  replacing  linear  stabilization 

sequences  by  arbitrary  intuitionistic  Kripke  models  does  not  work.  We  will  see  later  that  afb  +  b/a  actually 
is  step  congruent  to  a/b  ||  b/a.  Since  the  formulas  (a  D  6)  V  (6  3  a)  and  {a  D  b)  A  {b  D  a)  are  not 
intuitionistically  equivalent,  we  cannot  read  +  as  disjunction  on  arbitrary  Kripke  models.  It  does  not  appear 
sensible  to  try  and  find  a  an  intermediate  class  of  intuitionistic  Kripke  models  such  that  the  behavior  of  sum 
configurations  Pi  +  P2  can  be  characterized  by  the  disjunctive  formula  Pi  VP2.  Such  a  semantics  would  have 
to  use  a  modified  interpretation  of  transition  implication  to  account  for  different  enabling  properties.  The 
next  section  shows  that  we  need  to  distinguish  transition  a/a,  which  is  triggered  by  a,  from  transition  6/6, 
which  is  triggered  by  6.  The  naive  logical  interpretation  would  identify  both  transitions  with  true. 

Instead  of  trying  to  read  operator  H-  as  logical  disjunction,  we  will  use  semantic-preserving  transfor¬ 
mations  to  eliminate  +  in  favor  of  parallel  composition,  whose  semantics  we  already  know.  There  are  two 
methods  for  achieving  this.  The  naive  method  is  to  encode  -h  in  terms  of  |1  using  additional  distinguished 
events  to  achieve  mutual  exclusion  between  the  transitions  on  different  sides  of  the  choice  operator.  This 
will  be  discussed  in  App.  C.  The  other  method  is  to  use  an  expansion  law  to  distribute  operator  -h  over 
operator  ||  and  to  transform  a  configuration  C  £  C  into  a  standard  form  where  all  Ci  €  PC  are 

parallel  configurations.  The  semantics  of  C  is  then  uniquely  determined  from  the  semantics  of  all  Ci.  The 
second  method  will  be  our  main  focus  in  this  report  since  it  is  more  algebraic  than  the  first  one  and  also 
does  not  depend  on  the  use  of  distinguished  events. 

4.1.  Reduction  to  Parallel  Contexts.  For  extending  the  full-abstraction  result  to  arbitrary  contexts, 
one  must  address  the  following  compositionality  problem  for  +  which  already  manifests  itself  in  Pnueli  and 
Shalev’s  semantics.  Consider  configurations  C  =df  ®/^  ^  =df  ^/^  II  ^/^  which  have  the  same  responses 

in  all  parallel  contexts,  i.e.,  Beh{C)  =  Beh{D).  However,  in  the  choice  context  ^x]  =  i^/e  +  x)  ||  -/a,  we 
obtain  $[P]  {a}  but  $[(7]  {a}.  This  context  is  able  to  detect  that  D  is  enabled  by  environment  -/a 

while  C  is  not.  Hence,  to  be  fully  compositional  one  has  to  take  into  account  whether  there  exists  a 
transition  in  C  that  is  triggered  for  a  set  A  of  events.  To  store  the  desired  information,  we  use  the  triggering 
indicator  p{C,A)  £  B  :=:df  {ff,tt}  defined  by  p(C,A)  =df  tt,  if  triggered (C,  A)  5?^  0,  and  p(C,A)  =df  ff, 
otherwise.  When  C  ^  A,  let  us  call  response  A  active,  if  p{C,A)  =  tt,  and  passive,  otherwise.  This 
distinction  is  all  we  need  to  reduce  step  congruence  to  parallel  contexts.  Indeed,  two  configurations  are 
step-congruent  if  and  only  if  they  have  the  same  active  and  passive  step  responses  in  all  parallel  contexts. 

Proposition  4.1.  Let  C,D  £  C.  Then,  C  D  if  and  only  if'iP  £  PC,  E,  A  H,  6  e  B.  {C  \\  P  A 
and  p{C,  A)  =  6)  if  and  only  if  {D  1|  P  A  and  p{D,  A)  =  6). 
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This  proposition  is  a  corollary  to  the  more  general  Thm.  4.13  presented  in  Sec.  4.4.  Prop.  4.1  now  suggests 
the  following  refinement  of  the  naive  fully-abstract  semantics  [-Jo-  For  every  C  €  C,  we  define 

[C-li  =df  {{A,p)  I  {C  II  P)  ^  A,  p(C,A)  -  6,  P  6  PC} , 

where  6  G  B.  We  may  view  |(7|f  as  the  collection  of  active  and  {Cjf  as  the  collection  of  passive  responses 
for  C  in  parallel  contexts.  From  Prop.  4.1,  then,  we  obtain  the  following  result. 

Proposition  4.2.  Let  C,D  e  C.  Then,  C  D  if  and  only  if  [Cjf  =  and  ICjf  -  {Djf. 

4.2.  Reduction  to  Parallel  Configurations.  The  next  step  is  to  eliminate  the  choice  operator  from 
the  configurations  themselves  and  to  show  that  the  response  behavior  of  every  configuration  can  be  deter¬ 
mined  from  that  of  its  parallel  components.  As  mentioned  earlier,  this  will  be  achieved  by  transforming 
configurations  into  a  standard  form  in  which  the  choice  operator  is  the  outermost  operator. 

To  begin  with  the  development  of  a  standard  form,  please  observe  that  the  naive  distributivity  law 
(^1  H-  ^2)  II  h  —  {h  II  ^3)  +  (^2  II  ^3)5  with  the  two  occurrences  of  ts  on  the  right-hand  side  suitably  renamed, 
does  in  general  not  hold.  As  a  counterexample,  consider  transitions  U  =df  o^ihifci,  for  1  <  i  <  3,  and  assume 
that  all  events  are  mutually  distinct.  Then,  in  a  context  in  which  transition  t2  is  enabled  but  not  transition  ti , 
transition  t^  in  C  (^i  +  ^2)  II  H  is  forced  to  interact  with  t2,  while  in  D  =df  (^1  ||  ^3)  +  (^2  ||  h)  if 
run  by  itself  in  the  summand  ti  ||  ^3.  For  example,  if  E  =  {a2,a3}  then  D  {a2, 03,03},  but  the  only  A 
with  cs  £  A  and  (7  A  is  A  =  {02, 03,  C2,  C3}.  The  same  applies  if  the  context  enables  h  but  not  ^2-  The 
naive  distributivity  law,  however,  can  be  patched  as 

(^1  +  ^2)  II  ^3  —  h  II  Di{ts)  H- 12  II  ^>2(^3)  j 

where  configurations  Dift^),  for  i  G  {1,2},  are  suitable  weakenings  of  ts  that  disable  transition  ts,  whenever  ti 
is  disabled  but  ts~i  is  enabled.  There  are  two  ways  for  defining  such  configurations. 

The  most  elegant  solution  is  to  exploit  the  failure  event  ±.  In  the  example,  we  could  define  Di{ts)  =df 
Di  II  ts,  for  i  e  {1,2},  where 

Ei  — df  ^iO>S  —  i^3—i/ -L  ||  hiCls—ibs—if-L  . 

The  “watchdog”  configuration  Di  is  enabled  exactly  if  U  is  not  enabled  and  ts-i  is,  in  which  case  it  produces 
a  failure.  Formally,  for  all  parallel  contexts  F,  configuration  Di  has  the  property  {Di  ||  P)  J}  A  if  and  only 
if  (i)  P  {I.  A  and  (ii)  A  triggers  ti  or  does  not  trigger  ts-i-  Thus,  Di  does  not  change  any  of  the  responses 
of  P,  it  only  prohibits  some  of  them.  We  will  see  below  how  this  can  be  generalized,  namely  how  one 
may  construct,  for  any  given  configurations  Ci  and  €2,  a  watchdog  configuration  watch (Ci, C2)  such  that 
{D  II  watch  (Cl,  (72))  {I'  A  if  and  only  ii  D  ^  A  and  triggered(Ci,  A)  7^  0  or  triggered  (C2,  A)  =  0. 

The  second  method  of  patching  the  naive  distributivity  law  is  to  modify  the  parallel  context  itself 
and  to  strengthen  the  triggers  of  all  its  transitions.  In  our  example,  Di{ts)  would  modify  transition  ts 
rather  than  composing  a  watchdog  parallel  to  it.  Appropriate  weakenings  Di{ts),  for  i  £  {1,2},  satisfying 
C  ii  II  Di{ts)  +  t2  II  ^2(^3)  ^re 

Di{ts)  =df  (^ibiashslcs  ||  as-iashslcs  ||  bs-iasbsfcs  . 

Now,  configuration  Di{ts)  has  the  same  action  as  ^3,  but  is  only  enabled  when  ts  is  and  when  ti  is  enabled 
or  ts-i  is  disabled.  As  intuitionistic  formula,  Di{ts)  is  equivalent  to  ((ajA-i&i)  V-ias-iV&s-j)  D  ts-  This  is  the 
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formal  weakening  of  by  the  extra  precondition  (ai/\-^hi)y which  captures  exactly  the  situations 
in  which  U  is  enabled  or  tz-i  is  disabled.  This  second  approach,  which  does  not  depend  of  the  use  of  explicit  1 
events  in  the  actions  of  transitions,  can  be  generalized  to  arbitrary  configurations.  Since  this  method  is  less 
local  and  more  tedious,  we  do  not  consider  it  further.  Both  methods  are  essentially  equivalent  in  the  sense  that 
the  first  version  of  he.,  watch(ii,^3_2)  |1  tz  =  aiaz-^z-i/^  II  hiaz-^z-i/^  II  ^3,  is  step  congruent 

to  the  second  version,  i.e.,  ((aj  A  -16^)  V  ->03-2  V  bz~i)  D  tz  =  aibiazhz/cz  ||  az-iazbz/cz  ||  bz-iazhfcz,  as 
can  be  derived  from  our  intuitionistic  semantics.  Hence,  the  use  of  the  failure  event  ±  in  the  watchdog 
configurations  is  inessential. 

To  formally  construct  watchdogs  in  a  finitary  fashion,  we  need  to  refer  to  the  events  that  occur  in  a 
configuration.  For  every  configuration  C,  let  n(C')  denote  the  set  of  all  events  that  syntactically  occur  in  C. 
Then,  we  define  watch (^1,(72)  G  PC  to  be  the  parallel  configuration 

\\{A,E\A/1  I  ACE  =  n{Ci)UTl{C2),p{CuA)^ff,  p{C2,A)  =  tt} . 

The  crucial  semantic  property  of  watchdogs  is  now  stated  in  the  following  proposition. 

Proposition  4.3.  Let  Ci,C2,D  e  C.  Then,  {D  ||  watch{Ci,C2))  ^  A  if  and  only  if  D  A  and 
tr}ggered{Ci^A)  or  triggered{C2,A)  -  0. 

Proof  In  the  following,  let  E  =df  n(C')  U  n(D).  We  begin  with  direction  Since  all  transitions 

of  watch(Ci, (72)  have  event  T  as  their  only  action  event,  it  follows  from  (D  ||  watch (Ci, (72))  ^  A  that  none 
of  the  watchdog  transitions  can  be  enabled.  This  implies  that  response  A  must  come  from  configuration  D 
alone,  i.e.,  D  ^  A.  In  particular,  transition  A,E\A/±  cannot  be  included  in  watch ((7i, (72);  otherwise,  it 
would  be  enabled  by  response  ACE.  But  this  implies  p(Ci,A)  ^  or  p{C2yA)  ^  tf  or,  equivalently, 
triggered  (Cl,  yl)  ^  0  or  triggered(C2,  A)  —  0. 

For  proving  direction  “4=”,  let  us  assume  (1)  D  ^  A  and  (2)  triggered(Ci ,  ^4)  ^  0  or  triggered(C2,  A)  =  0- 
Now,  given  any  event  set  A'  C  E  satisfying  p{Ci,A*)  =  ffand  p(C2,  A')  =  tt,  Assumption  (2)  implies  A  ^  A'. 
This  means  that  none  of  the  transitions  A',  E  \  A'/T  of  watch(Ci,  C2)  is  enabled.  Therefore,  Assumption  (1) 
implies  {D  ||  watch(Ci,  C2))  >11  A  by  the  definition  of  step  responses.  □ 

The  watchdogs  admit  the  following  simple  expansion  law  whose  proof,  which  can  be  found  in  App.  B,  is  a 
direct  application  of  Prop.  4.1. 

Lemma  4.4  (Expansion).  Let  P,Q,R  e  C.  Then,  {P  A  Q)  \\  R  {watch{P,Q)  ||  P  ||  i^)  + 
{watch{Q,P)  II  Q  IIP). 

Repeated  application  of  Lemma  4.4  (expansion)  can  be  used  to  systematically  push  all  occurrences  of  choice 
operator  +  to  the  outside  of  the  configuration  C  under  consideration,  until  +  becomes  the  outermost  operator. 
We  can  think  of  this  transformation  of  C  as  a  static  analysis  which  reveals  the  top-level  choice  structure  of  C. 
The  general  expansion  algorithm,  which  is  omitted  here,  associates  with  every  C  G  C  a  set  ind(C)  of  indices 
and,  for  every  i  €  ind((7),  a  parallel  configuration  (7*  G  PC.  The  configurations  Ci  essentially  correspond  to 
the  maximal  consistent  subsets  of  trans((7),  patched  up  with  appropriate  watchdog  configurations. 

Lemma  4.5  (Standard  Form).  Let  C  ^  C.  Then,  there  exists  a  finite  index  set  ind{C)  and  parallel 
configurations  Ci  G  PC,  for  i  G  ind{C),  such  that  C 

Hence,  |(7|i  =  E2eind(C)  Prop.  4.2,  for  b  eM.  Moreover,  since  an  active  response  of  a  sum  must  be 

an  active  response  of  one  of  its  summands  and  since  a  passive  response  of  a  sum  always  is  a  passive  response 
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of  all  of  its  summands,  we  have 

I  E  ^"1“=  U  IC-Jf  and  I  Y.  ^«lf=  n 

i€ind(C)  ieind(C')  ieind(C')  i6ind(C') 

Thus,  we  obtain  the  following  proposition  which  states  the  desired  reduction  of  the  full-abstraction  problem 
to  parallel  configurations  within  parallel  contexts. 

Proposition  4.6.  Let  C^D  ^  C.  Then,  C  D  if  and  only  if 

u  =  u  n  =  n 

ieind{C)  j£ind{D)  ieind{C)  jeind{D) 

Proof  We  present  the  proof  for  two  indices  only,  i.e.,  we  assume  C  cd  Ci  C2  and  D  ~  Di  +  D2) 
where  Ci,Dj  E  PC  are  parallel  configurations.  The  general  case  is  handled  in  the  same  way,  noting  that  + 
is  associative.  Observe  that  the  statement  of  Prop,  4.6  reduces  to  the  congruence  condition  |C|i  =  [DJi 
expressed  in  Prop.  4,2,  in  case  both  configurations  have  only  one  index.  In  what  follows,  p{C,  G  B  denotes 
again  the  enabling  indicator,  so  that  p{C,A)  =  ff,  if  triggered (C,  A)  —  0,  and  p{C,A)  =  tt,  otherwise. 

•  We  assume 


[C7i]fu[C2lf  =  pi]fup2]f  and  (4.1) 

ICilf  n  [C2lf  =  pilf  n  p2lf .  (4.2) 

We  must  show,  by  Prop.  4.1,  that  for  every  parallel  configuration  P  G  PC  and  every  E,A  Cfin  H, 

{{Cl  +  C2)  II  P)  ^  implies  {{Di  +  D2)  ||  P)  ^  and  p{Di  +  D2,A)  =  p{Ci  +  C2,A)  (4.3) 

and  vice  versa,  with  the  roles  of  Ci  and  Di  interchanged.  We  may  assume  that  P  =  0  since  any  E  is 
already  quantified  implicitly  by  P.  Moreover,  it  suffices  to  prove  the  implication  in  Statement  (4.3) 
because  of  symmetry.  Suppose  that  {{Ci  +  C2)  ||  P)  Jj-  By  Lemma  4.9  we  have  to  consider  the 
following  two  cases: 

1.  There  exists  some  index  i  G  {1, 2}  such  that  {Ci  1|  P)  >||  yi  and  p{Ci,  A)  =  tt. 

2.  For  both  indices  i  G  {1, 2},  it  is  true  that  p{Ci,  A)  =  ff  and  {Ci  ||  P)  ^ . 

In  Case  (1),  by  definition,  {A,P)  G  Prom  Equation  (4.1)  it  follows  that  there  exists  some 

j  G  {1)2}  such  that  {A,P)  G  But  this  yields  ((Pi  +  P2)  ||  ^)  'D'  ^  and  p{Dj,A)  =  tt 

when  reading  Lemma  4.9  backwards.  Hence,  p{Di  -\-  D2^  A)  =  tt  =  p{Ci  +  C2-,A)  which  proves 
Statement  (4.3)  in  Case  (1).  Regarding  Case  (2),  {A,P)  G  |Ci|f  holds,  whence  by  Equation  (4.2), 
{A,P)  G  [Pjlf,  for  both  j  G  {1,2}.  This  means  that  (Pi  \\  P)  ^  A  and  (P2  ||  P)  ^  A,  as  well  as 
p{Di,A)  =ff=  p(P2,  A).  So,  by  employing  Lemma  4.9  backwards,  we  obtain  ((Pi  +  P2)  \\  P)  ^  A 
and  p(Pi  +  P2,^)  =  ff=  p{Ci  +  C2,A),  as  desired. 

•  For  this  direction,  let  us  assume  C  D,  i.e.,  Ci  +  C2  —  +  ^2-  Let  {A,P)  G  [Cilf,  i-e., 

{Cl  \\P)^  A  and  p{Ci,A)  =  tt  By  Lemma  4.9,  then,  ((Ci  +  C2)  ||  P)  ^  A,  from  which  we  may 
infer  ((Pi  +  P2)  ||  P)  A  and  p(Pi  +  P2,  A)  =  p{Ci  4-  (72,  A)  =  tt  by  Prop.  4.1.  This  means,  by 
Lemma  4.9,  that  p{Di,A)  =  it  and  {Di  ||  P)  {I  A,  for  some  i  G  {1,2},  Thus,  (A,P)  G  |Pilf  U[P2]f 
which  implies  |(7i|f  C  [Pi]f  U[P2lf .  A  similar  argument  shows  that  |C2]f  C  |Pi]i*U|P2lf  which 
yields  [Cilf  U  |(72lf  C  [Pi]f  U  |P2]iL  The  other  direction  follows  by  symmetry. 
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Finally,  assume  (A,P)  G  |Ci]f  n  lC2ji,  i.e.,  p((7i,A)  =  jQ^and  (Cj  ||  P)  >11^  A,  Lemma  4.9  implies 
((Cl  +  C2)  II  P)  >11  A.  Now  we  apply  Prop.  4.1  again,  which  establishes  ((Pi  +  P2)  II  P)  ^  A. 
Moreover,  p{Di  +  D2^A)  =  p{Ci  +  C2,A)  =  ff,  whence  both  p{Di,A)  =  ff  =  p{D2,A),  A  final 
reference  to  Lemma  4.9  implies  (Pi  ||  P)  >l|  A  and  (P2  ||  P)  A.  This  verifies  the  inclusion 
|Ci]f^  n  |C2]i^  C  |Pi]f  n  [P2l'f-  The  other  direction,  again,  is  by  symmetry. 

This  finishes  the  proof.  □ 

Prop.  4.6  yields  a  second  refinement  of  our  fully-abstract  semantics  that  now  only  depends  on  the  response 
behavior  of  parallel  configurations  in  parallel  contexts.  However,  it  still  refers  to  the  syntax.  In  the  next 
section  the  main  work  will  be  done,  presenting  a  semantic  analysis  of  the  dynamic  interaction  between 
parallel  configurations. 

We  finally  want  to  remark  that  our  definition  of  watchdogs  is  not  the  most  efficient  one  possible.  For 
instance,  consider  configurations  Ci  =df  and  C2  =df  b/cd^  for  which  E  =df  n(Ci)  U  n(C2)  =  {a,  b,  c,  d}. 
Then,  the  sets  ACE,  for  which  both  p(Ci,  A)  =  jQ^and  p(C2,  A)  =  ii,  are  Ai  =df  0,  A2  =df  {c}?  A3  =df  {d}, 
and  A4  =df  {c,d}.  Thus,  we  get  by  our  definition  of  watchdogs: 

watch(Ci,C2)  =  Ai,eY^/1  II  A2,E\A^/J.  ||  A3,EV^/±  ||  A4,E\A;/± 

=  dbcd/±  II  cabd/±  ||  dabc/±  ||  cdah/±. 

This  parallel  configuration,  read  as  logic  formula,  corresponds  to  the  conjunction 

”n(-ia  A ->6  A ->c  A -id)  A  -1(0  A -la  A  A -'d)  A  -•(d  A A ->6  A -ic)  A  -i(c  A  d  A -la  A ->6) 

which  is  classically,  as  well  as  intuitionistically,  equivalent  to  ~>a  A  ->6.  Hence,  the  four  sets  Ai"A4  could  as 
well  be  described  by  the  conjunction  -la  A  -16.  Indeed,  one  can  show  that  watch (Ci, (72)  —  ab/±  which  is 
obviously  a  more  compact  formulation.  In  general,  as  suggested  above,  we  may  invoke  classic  Boolean  logic 
to  simplify  watchdogs,  as  watchdogs  are  essentially  negated  formulas  which  behave  classically. 

4.3.  Full-abstraction  Theorem.  Once  a  configuration  (7  G  C  is  transformed  into  a  sum  X)ieind(C) 
of  parallel  configurations,  its  semantics  may  be  uniquely  determined  by  the  behavior  of  the  Ci  e  PC,  By 
Prop.  4.1  it  is  enough  to  know  the  responses  of  each  Ci  in  all  parallel  contexts,  together  with  the  information 
of  whether  these  responses  are  active  or  passive.  Moreover,  by  Thms.  3.5  and  3.10,  the  responses  of  Ci 
in  all  parallel  contexts  are  characterized  by  their  behaviors  Beh{Ci),  Therefore,  the  responses  of  C  in  all 
contexts  must  be  determined  by  the  sets  Beh{Ci)  and  p(Ci,  A),  for  all  i  G  ind((7)  and  A  C^n  H  \  {J-}. 
Unfortunately,  the  obvious  but  somewhat  naive  idea  of  simply  collecting  all  the  sets  Ee/i((7^),  together  with 
their  triggering  behavior  AA.  p((7i,A),  and  then  considering  the  identity  of  sets  as  equivalence  does  not 
work.  The  semantics  defined  in  this  direct  way,  namely  |C]  =df  {{Beh{Ci) ,  AA. p((7j,A))  \  i  G  ind((7)}, 
would  not  allow  us  to  derive,  e.g.,  the  congruence  ajb  bj a  a/b  1|  b/a.  Indeed,  it  is  not  the  case  that 
[a/6  +  6/a]  =  {(Ee/i(a/6),  AA.p(a/6,  A)) ,  (He/i(6/a),  AA.p(6/a,  A))}  is  the  same  set  as  [a/6  ||  6/a]  = 
{{Beh{a/b  ||  b/a),XA.  p{a/b  ||  6/a,  A))}  since,  e.g.,  Beh{a/b)  is  different  from  Beh{afb  ||  6/a).  However,  it  is 
true  that  Beh(afh)  and  Beh{hfa)  together  cover  the  same  behavior  as  Beh{alb  ||  6/a).  To  achieve  a  simple 
formalization  of  this  covering  property,  it  is  useful  to  consider  the  “complements”  of  Beh{a/b),  Beh{bfa), 
and  Beh{alb  1|  6/a),  to  which  we  refer  as  (semantic)  contexts. 

Definition  4.7  (Context).  Let  A  Cfi^  H.  An  A-bounded  behavior  V  —  (F,  J)  is  called  an  A-context 
for  CePCif(i)Ae  F{C),  and  (ii)  7(A)  n /((7)(A)  -  {A}  holds,  where  (E(C),7((7)}  =  Beh{C), 
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{a,b,c}  {a,b,c} 

Vi  \  \  V2 

{a,c}  {b,c} 


Fig.  4.1.  Complement  behavior  for  Fig.  3.1  (left)  and  its  covering  {a ^b,c} -contexts  (right). 

An  A-context  V  oi  C  represents  a  set  of  sequences  that  all  end  in  the  final  world  A,  in  which  also  some 
sequence  model  of  C  must  end  (cf.  Prop,  (i)),  but  which  only  have  the  final  world  A  in  common  with 
the  sequence  models  of  C  (cf.  Prop.  (ii)).  These  properties  imply  that,  for  every  configuration  P  with 
Beh{P)  —  V,  we  have  {C  ||  P)  >(1  A.  Note  that,  since  every  A-context  (F^I)  is  A-bounded,  I  is  essentially 
just  a  n-closed  subset  of  2^  with  top  element  A.  In  other  words,  an  A-context  {F,  I)  may  be  identified  with 
the  complete  (H,  C)  sub-semi-lattice  /(A)  of  2^.  We  will  henceforth  use  the  simpler  presentation  {A,  7(A)) 
rather  than  ({A},/).  In  fact,  we  might  even  write  7(A)  since  the  top  element  is  uniquely  determined,  but  it 
is  often  useful  to  indicate  the  top  element  explicitly. 

In  the  following,  we  will  only  be  interested  in  the  maximal  A-contexts  of  a  configuration  C  G  PC,  where 
maximality  is  with  respect  to  the  natural  component- wise  subset-ordering  on  A-bounded  behaviors.  More 
precisely,  given  two  A-bounded  behaviors  V  —  (A,  7(A))  and  P'  =  (A,  7' (A)),  we  say  that  P  is  a  sub-behavior 
of  written  P  C  P',  if  7(A)  C  7' (A).  Then,  an  A-context  of  C  is  called  maximal  if  P  C  P'  implies  P  =  P', 
for  all  A-contexts  P'  of  C.  Because  of  the  finiteness  of  A-bounded  behaviors,  every  A-context  of  C  must 
be  contained  in  a  maximal  one. 

Consider  again  the  example  C  =df  II  0,0/ h  ||  a/a  ||  6/6  ||  c/c  from  above,  whose  A-bounded 
behavior  Beh{C)  —  ({A}, 7(6^)),  where  A  —  {a,  6,c},  is  described  by  the  diagram  of  Fig.  3.1.  To  get  the 
A-contexts  of  C,  we  must  consider  the  “holes”  in  7(C) (A),  i.e.,  all  B  C  A  that  are  missing  in  the  lattice 
of  Fig.  3.1.  This  is  illustrated  by  the  left  diagram  in  Fig.  4.1,  where  lattice  Beh{C)  is  indicated  by  dashed 
lines  and  the  holes  by  solid  arrows.  As  one  can  see,  this  “complement”  is  not  itself  a  behavior,  e.g.,  it  is  not 
n-closed,  but  it  can  be  covered  by  the  two  A-contexts 

Pi  =df  ({a,  6,  c},  {{a,  c}  ,  {a,  6,  c}})  and  P2  =df  ({«,  6,  c},  {{6,  c}  ,  {a,  6,  c}}) ,  (4.4) 

which  are  drawn  separately  in  Fig.  4.1  on  the  right.  In  fact,  Pi  and  P2  are  the  two  maximal  A-contexts 
of  Beh{C).  Since  they  are  behaviors,  the  A-contexts  can  be  represented  by  parallel  configurations,  such  as 
Pi  =df  11  ^2  ==df  II  respectively.  These  maximal  A-contexts  subsume  all  environments 

in  which  C  takes  part  in  response  A.  Indeed,  one  can  check  that  (C  ||  Pi)  ^  A  and  (C  |1  P2)  ^  A. 

For  every  C  G  PC  and  6  G  we  finally  define 

|C]|  =df  {(A,  7(A))  I A  Cfin  n,  p(C,  A)  =  6,  and  (A,  7(A))  is  an  A-context  for  C}. 

The  elements  (A,  L)  G  {Cjl  are  (H,  C)  sub-semi-lattices  L  of  2^  that  represent  all  the  bounded  context 
behaviors,  i.e.,  environments,  generating  the  joint  response  A.  The  superscript  6  G  B  determines  whether  C 
is  actively  participating  (6  =  tt)  or  only  passively  admitting  {h  =  ff)  the  macro  step  resulting  in  A.  In 
the  latter  case,  the  response  must  entirely  come  from  the  environment.  This  is  reflected  in  the  fact  that 
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all  passive  contexts  {A^L)  e  [C|f  are  of  the  form  {A,L)  =  (A,  {A}},  which  we  will  abbreviate  as  id  a  for 
convenience.  The  passive  i4-context  Ha  means  that  the  environment  P  must  be  equivalent  to  transition  -/A 
in  order  for  (C  ||  P)  ^  to  hold.  Another  structural  property,  which  we  may  take  advantage  of,  is  that 
an  A-context  V  is  contained  in  if  ^md  only  if  there  exists  a  maximal  A-context  Pmax  ^  with 
V  C  Pmax-  Consequently,  we  only  need  to  list  the  maximal  elements  of  relative  to  any  given  response  A. 
We  now  obtain  our  main  theorem  as  a  corollary  to  Prop.  4.6  and  Thm.  3.5. 

Theorem  4.8  (Full  Abstraction).  Let  C,D  e  C,  Then,  C  ^  D  if  and  only  if 

u  =  u  n  ic-iif  =  n 

i€ind{C)  j^ind(D)  i£md{C)  j£ind{D) 

The  proof  of  this  theorem  requires  the  following  distributivity  property  stated  in  terms  of  admissible  sets  of 
transitions,  which  is  proved  in  App.  A. 

Lemma  4.9  (Distributivity).  Let  S,C,D  G  C  he  configurations,  E  Cfi^  U,  and  T  c  T.  Then,  T  is 
E -admissible  for  5  ||  (C  +  P)  if  and  only  if  one  of  the  following  conditions  holds: 

1.  T  n  trBns(C)  ^  0,  and  T  is  E-admissible  for  S  ||  C. 

2.  TO  trans{D)  ^  0,  and  T  is  E -admissible  for  5  ||  P. 

3.  T  C  tr3ns{S),  and  T  is  E-admissible  for  both  S  \\C  and  S  1|  D. 

Moreover,  in  Case  (1)  we  have  T  C  trans{S  ||  C)  and  in  Case  (2)  T  C  trans{S  ||  D), 

Using  this  lemma,  we  are  now  going  to  prove  Thm.  4.8. 

Proof  [Theorem  4.8]  We  begin  with  two  observations  about  A-contexts,  for  A  C^n  11.  First,  for  every 
P  G  PC,  consider  the  pair  Beh{P,  A)  =cif  (A,  L)  with  L  =df  {V (0)  |  (n,  V)  G  5M(P)  and  V{n-l)  =  A}.  For 
every  C  G  PC,  it  possesses  the  property 

((7  II  P)  ^  A  if  and  only  if  Beh{P,  A)  is  an  A-context  of  C .  (4.5) 

This  follows  essentially  from  Thm.  3.4  and  Def.  4.7  of  A-contexts.  Note  that  if  A  is  not  a  classic  model  of  P 

then  Beh{P,A)  is  not  even  a  behavior.  Second,  suppose  (A,  L)  is  a  (fl,  C)  sub-semi-lattice  of  2^.  Then, 
by  Thm.  3.11,  there  must  exist  a  parallel  configuration  P  G  PC  in  the  events  A  and  not  using  J.,  such 

that  Beh{P),  when  restricted  to  the  events  A,  is  identical  to  (A, /(A)),  as  well  as  I  (A)  =  L.  These  also 

satisfy,  for  every  (7  G  PC,  the  property 

{C  II  P)  >[1  A  if  and  only  if  (A,  L)  is  an  A-context  of  C .  (4.6) 

Thm.  4.8  is  now  a  consequence  of  Prop.  4.6  and  the  following  facts.  For  all  A  11 ,  D  G  PC,  and  6  G  B: 

VP  3P.  (A,  L)  G  |P1^  if  and  only  if  (A,  P)  G  [P]?  =  and  (4.7) 

VP  3L.  (A,  P)  G  [Djl  if  and  only  if  (A,  L)  G  [P]^  .  (4.8) 

For  establishing  Statements  (4.7)  and  (4.8),  we  use  Statements  (4.6)  and  (4.5),  respectively,  together  with 
the  construction  of  behavior  Beh{P,A)  and  Thm.  3.5.  In  both  cases,  we  also  exploit  that  the  triggering 
indicator  p  only  depends  on  A,  but  not  on  the  above  P  or  L.  Thm.  4.8  is  derived  from  Statements  (4.7) 
and  (4.8)  and  from  Prop.  4.6  in  the  obvious  fashion.  0 

Let  us  consider  some  examples.  For  the  configuration  in  Fig.  4.1,  we  have  =  {Pi  ?  P2}  and  |(7]f  =  0, 
where  Pi  and  P2  are  given  in  Equation  (4.4).  Note,  that  here  and  in  the  following,  we  only  list  maximal 
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contexts.  This  structure  can  also  be  generated  from  the  sum  Di  +  D25  where  Di  =df  ac/6  ||  b/b  ||  c/c  and 
D2  =df  bc/a  II  b/b  II  aja.  One  obtains 

=  {  n  }  ,  =  {  ^2  } .  pilf  =  {erf{6,c}} ,  and  I£l2lf  =  {*d{a,6}}  • 

Hence,  [Di]«  U  P2M*  =  |C1“  and  pijf  n  p2]f  =  0  =  I^lf-  By  Thm.  4.8,  then,  (7  ~  i?i  +  D^.  The 
Statecharts  axiom  hidden  in  this  example,  which  reflects  a  causality  principle,  is 

ajb  II  b/a  2:^  o/6  +  6/a,  (4.9) 

for  any  events  a,  6  G  II.  Intuitively,  this  congruence  states  that,  if  a  and  b  mutually  depend  on  each  other 
(left-hand  side),  then  either  a  causes  b  or  b  causes  a  (right-hand  side).  We  might  call  this  the  ^^tie-hreak 
axiom''  or  “causality  axiom."  More  specifically,  we  obtain  the  following  semantics: 

la/b  II  6/air  =  {  ({a,  &},  {{a}  ,  {a,  b}}) ,  ({a,  6},  {{b} ,  {a,  b}})  } 

[a/b  II  b/ajf  =  {  } 

[a/6ir-{({a,6},{{a},{a,6}})} 

|a/6]f  =  {  zd® ,  id{ty  } 

[6/al«=={({a,6},{{6},{a,6}}>} 

From  this  we  compute  {a/b  ||  b/a}^  =  0  {b/a}^  and  [a/b  +  b/a}^  =  0  Hence,  with 

Thm.  4.8,  the  congruence  in  Equation  (4.9)  is  obtained. 

To  finish  off,  we  return  to  Sec.  3  and  re-visit  the  compositionality  problem  in  the  light  of  our  semantics. 
First  of  all,  one  verifies  that  Cjq  =  b/a  b/a  =  b/a  \\  b/a  =  C79,  as  stated  in  Sec.  3.  The  semantics  of 
parallel  configuration  €  PC  is 

Kslf  =  {  ( .  {0,  {«}}  ).({«.&}.  {{6}.  {«. «'}} )  }  and  lC',,g  =  0 . 

The  active  and  passive  contexts  of  b/a  have  been  given  above;  it  remains  to  analyze  b/a: 

I6/air  -  {  { {a}  ,  {0,  {a}} )  }  and  [ &/a]f  =  {  idyaM  >  • 

When  combining  the  pieces,  we  obtciin  =  [  V«l2*U|6/a]2*  and  =  0  =  [V«lF7l|6/oj|',  whence 

C79  ~  fe/a  +  b/a  =  C79.  In  addition,  our  semantics  shows  why  configurations  C79  and  C79  are  distinguished 
from  Cu  =  '/ct\\  b/a.  Configuration  Cu  has  the  active  {a,  6}-context  ({a,  6},  {0,  {6},  {a,  b}})  €  which 

is  not  contained  in  or  in  Ib/aj^U  {b/a}^-  This  {a,  6}-context  ({a,  6},  {0,  {6},  {a,  6}})  corresponds 

to  context  II  f^/b  used  in  Sec.  3  to  differentiate  C79  from  Ci4*  It  shows  that  ^[Ci4]  >11  {o,  &}  but 

$[C79]^{a,6}- 

With  Thm.  4.8  (full  abstraction)  we  have  finally  achieved  our  goal.  Summarizing,  the  fully-abstract 
semantics  developed  in  this  report  consists  of  the  mapping  given  by 

[(7i3=df(  u  iCif^ ,  n  >■ 

iGind(C)  26ind(C') 

Thm.  4.8  implies  that  C  D  if  and  only  if  {Cjs  =  This  means  that  [-Js  is  compositional  in  the 

algebraic  sense,  i.e.,  if  {CJs  =  [Djs  then  |$[C]]3  =  ^or  all  contexts  ^[x].  In  contrast  to  [CJi, 
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and  indeed  to  the  starting  point  |C7]o,  this  fully-abstract  interpretation  [CJs  is  both  satisfactorily  semantic 
and  finite.  It  is  also  natural  in  that  it  realizes  the  obvious  logical  interpretation  of  (parallel)  configurations 
as  sequences  of  micro  steps.  Hence,  the  Statecharts  semantics  of  Pnueli  and  Shalev  is  quite  natural  and 
elegant.  Moreover,  we  believe  that  |(7]3,  in  combination  with  Lemma  4.4  (expansion),  directly  lends  itself 
to  be  applied  for  a  model-based  implementation  of  Pnueli  and  Shalev’s  semantics,  which  does  not  require 
backtracking  for  handling  failure. 

However,  our  semantics  [-Js  is  not  denotational,  which  would  require  that  [^[C]]3  is  obtained  directly 
from  |C]3,  when  reading  the  syntactic  operators  of  $[a:]  as  suitable  constructions  in  the  semantic  domain. 
As  presented,  the  definition  of  [(7|3  depends  on  the  transformation  of  C  into  a  sum  form  which 

is  a  purely  syntactic  process.  For  a  denotational  semantics,  this  “normalization”  would  have  to  be  performed 
directly  in  the  semantic  domain. 

4.4,  Conservativity.  This  section  establishes  that  our  extension  of  the  standard  Statecharts  syntax  by 
arbitrary  choices  C  +  D,  where  D  €  C,  and  by  the  failure  event  ±  is  conservative,  i.e.,  the  full-abstraction 
result  regarding  our  configuration  algebra  is  also  true  for  the  original  Statecharts  language.  As  a  byproduct 
of  our  investigation,  we  obtain  a  proof  for  Prop.  4.1,  too. 

Formally,  let  C/  be  some  distinguished  subset  of  C,  and  let  PC/  be  the  parallel  configurations  in  C/, 
i.e.,  PC/  =cif  C/  n  PC.  In  the  fragments  C/  and  PC/,  we  consider  two  congruences  c:if  and  respectively, 
which  are  defined  as  follows: 

C  D  \i  and  only  if  V$[x]  G  C/,  E,  A  Cfin  H.  $[(7]  A  if  and  only  if  ^[D]  A . 

C  D  if  and  only  if  VP  G  PC/,  E,  A  C^n  H,  6  G  B. 

{{C  II  P)  A  and  p{C,A)  =  b)  if  and  only  if  {{D  ||  P)  A  and  p{D,  A)  =  b) . 

In  the  special  case  C/  =  C,  we  simply  write  and  instead  of  :^/  and  ,  respectively.  The  key  step 
towards  our  conservativity  result  is  to  show  that,  when  fragment  C/  encompasses  a  minimum  amount  of 
discriminating  contexts,  the  equivalence  between  C  D  and  C  D  entails  the  equivalence  between 
C-/PandC-+  D. 

Lemma  4.10.  Let  C/  be  a  fragment  of  C  satisfying  the  following  two  conditions:  (i)  Cf  is  closed  under 
the  operations  [•]  +  t  and  [•]  ||  for  all  transitions  t  in  Cf,  is  closed  under  sub-configurations,  and  contains 
at  least  the  transitions  -/A,  for  all  A  Cfi^  H  \  {±};  and  (ii)  C  D  if  and  only  if  C  D.  Then,  C  D 
if  and  only  if  C  D, 

The  proof  of  this  lemma  can  be  found  in  App.  A.  A  direct  consequence  of  it,  for  the  fragment  C/  =df  ^5  is 
Prop.  4.1  which  essentially  states  that  C  D  is  equivalent  to  C  D.  As  another  consequence,  consider 
the  standard  fragment  Cg  C  C  of  Statecharts,  which  consists  of  all  configurations  that  (1)  use  the  hierarchy 
operator  only  in  the  special  form  [•]  +  t,  for  arbitrary  transitions  t  G  T,  and  (2)  do  not  contain  the  failure 
event  ±  or  its  negation  in  any  transition  trigger  or  action. 

Given  an  arbitrary  parallel  configuration  P  G  PC,  we  define  its  standardization  to  be  the  configuration 
Ps  6  PCs,  obtained  from  P  by  dropping  all  transitions  containing  1  in  their  triggers  or  actions,  as  well 
as  dropping  all  occurrences  of  ±  from  the  triggers  of  the  remaining  transitions.  Note  that  Ps  may  be  the 
empty  configuration  even  though  P  is  not.  Obviously,  by  removing  from  P  transitions  with  J_  in  their 
actions,  we  lose  information  about  the  failure  behavior  of  P.  In  fact,  Ps  does  not  produce  any  failure  due 
to  the  presence  of  events.  For  example,  parallel  configuration  P  might  contain  transition  a/±.  Then,  P 
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produces  a  failure  whenever  the  environment  offers  event  a,  but  Ps  does  not  since  a/±  is  dropped.  To 
recover  this  information,  we  define,  for  every  P  G  PC,  a  set  fail{P)  C  of  those  environments  that 

would  trigger  a  transition  having  ±  in  its  actions  and,  hence,  would  produce  a  failure.  More  precisely,  let 
P±  G  PC  be  the  parallel  composition  of  all  transitions  of  P  that  have  ±  in  their  action.  Then,  fail{P)  =df 
£fin  n  \  {±}  I  p{P±,A)  =  tt}.  Taking  into  account  the  sets  fail{P)^  we  can  show  that  this  standardization 
does  not  change  the  communication  behavior  of  parallel  configurations. 

Lemma  4.11.  Let  C  e  C,  A  n,  and  P  G  PC.  Then,  {C  ||  F)  fj.  A  if  and  only  if  {C  |1  Pg)  fj'  A  and 
A^fail{P), 

Proof  Let  P  G  PC  and  A  Cfin  11  \  { J.}  be  arbitrary.  We  first  prove  that 

A  ^  fail{P)  implies  triggered (P,  A)  =  triggered(Ps,  A) .  (4.10) 

Inclusion  triggered (Pg,  A)  C  triggered (P,  A)  is  trivial  since  the  transitions  of  Pg  are  a  subset  of  those  of  P, 
possibly  having  an  extra  trigger  event  _L  in  P,  which  does  not  affect  their  enabling  as  ±  0  A.  For  the 
inclusion  triggered(P,  A)  C  triggered (Pg,  A),  we  assume  A  ^  fail{P).  Let  t  G  triggered (P,  A),  i.e.,  i  is  a 
transition  of  P  enabled  by  A.  Since  A  ^  fail{P),  transition  t  does  not  have  event  _L  in  its  action.  Similarly, 
it  cannot  have  ±  in  its  trigger;  otherwise,  it  would  not  be  enabled,  given  J_  ^  A.  This  means  that  t  must 
be  contained  in  Pg,  with  any  J-  in  its  trigger  removed.  In  any  case,  transition  t  is  still  enabled.  Hence, 
triggered  (P,  A)  C  triggered  (Ps,  A).  Statement  (4.10)  implies  that  (C  ||  P)  fl-  A  if  and  only  if  {C  ||  Ps)  ^  A 
and  A  ^  fail{P),  for  all  C  e  C,  since  P  is  a  parallel  context,  and  that  {D  ||  P)  JJ.  A  implies  ±  ^  A  and 
A  ^  fail{R),  for  any  configurations  P  G  C  and  R  G  PC.  Q 

As  a  consequence  of  the  above  lemma,  we  now  obtain  the  desired  result  for  the  standard  fragment. 

Lemma  4.12.  Let  C,D  e  C.  Then,  C  D  if  and  only  if  C  D. 

Proof  Direction  is  trivial  since  the  standard  parallel  contexts  are  just  a  special  class  of  parallel 

contexts.  For  the  other  direction,  suppose  C  D.  Let  P  G  PC,  A  Cfin  H,  and  6  G  B  be  such  that 

{C  II  P)  .y.  A  and  p(C,  A)  =  6.  By  direction  of  Lemma  4.11,  {C  |1  Ps)  A  and  A  ^  fail{P).  Since 

Ps  G  PCs  and  C  P  we  infer  (P  |1  Pg)  ^  A  and  p(P,  A)  =  h.  Another  application  of  Lemma  4.11,  this 

time  direction  for  configuration  P,  yields  (P  ||  P)  JJ.  A.  Hence,  we  have  shown  that,  for  all  P  G  PC, 

A  Cfin  n,  and  6  G  B, 

{{C  II  P)  Jj.  A  and  p(C,  A)  —  b)  implies  ((P  ||  P)  Jj.  A  and  p(P,  A)  —b) . 

Since  our  argument  is  symmetric  in  C  and  P,  we  can  establish  the  other  direction,  too.  □ 

We  are  now  ready  to  summarize  the  conservativity  properties. 

Theorem  4.13  (Conservativity).  For  arbitrary  C,D  £  C,  the  following  statements  are  equivalent: 

(l)Cc^D,  (2)Cc:i-^D,  (3)Cc:tsD,  and  (4)  C  ^  ^ 

Proof  The  equivalence  “(1)  (2)”  follows  from  Lemma  4.10  for  the  fragment  C/  =df  C,  whereas 

equivalence  “(2)  (4)”  is  the  statement  of  Lemma  4.12.  Finally,  equivalence  “(3)  < — >  (4)  arises  from 

specializing  Lemma  4.10  to  fragment  Cg,  using  result  “(2)  (4)”  and  the  fact  that  Cg  satisfies  Assump¬ 

tion  (i)  required  in  Lemma  4.10.  0 

The  equivalence  of  C  D  and  C  ::^s  P  is  a  crucial  result  since  it  shows  that  there  are  no  additional  semantic 
distinctions  introduced  by  our  use  of  a  more  general  configuration  syntax.  Hence,  whenever  we  restrict 
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ourselves  to  the  standard  fragment  we  obtain  exactly  the  same  compositional  semantics  as  if  we  had  used 
the  restricted  language  in  the  first  place.  This  substantiates  our  claim  that  our  semantics  is  fully  abstract  for 
Statecharts  and  the  operational  step  semantics  of  Pnueli  and  Shalev,  despite  the  fact  that  we  are  employing 
a  slightly  richer  syntax. 

5.  Related  Work.  Our  investigation  focused  on  Pnueli  and  Shaiev’s  original  presentation  [17]  of  Stat¬ 
echarts  and  its  macro-step  semantics.  Like  [17]  we  only  consider  single  macro  steps  since  it  is  here  where  the 
main  challenge  for  a  fully-abstract  semantics  of  Statecharts  lies.  The  elegance  of  Pnueli  and  Shaiev’s  opera¬ 
tional  semantics  manifests  itself  in  the  existence  of  an  equivalent  declarative  fixed  point  semantics.  However, 
as  illustrated  in  [17],  this  equivalence  breaks  down  when  allowing  disjunctions  in  transition  triggers.  For 
example,  the  configurations  (a  V  b)/a  and  a/ a  ||  b/a  do  not  have,  as  was  expected,  the  same  response 
behavior.  This  subtlety  can  be  explained  in  our  intuitionistic  framework.  In  Pnueli  and  Shaiev’s  setting, 
ay  bis  classically  interpreted  as  throughout  the  macro  step,  not  a  or  6.”  In  contrast,  this  report’s  approach 
reads  the  configuration  as  ^Hhroughout  the  macro  step  not  a,  or  throughout  the  macro  step  6.”  Our  stronger 
intuitionistic  interpretation  restores  the  coincidence  of  operational  and  declarative  semantics.  This  assumes, 
of  course,  that  the  former  is  adjusted  accordingly,  which  is  not  difficult,  however.  The  step  procedure  must 
only  ensure  that,  whenever  transition  (a  V  6) /a  is  fired  due  to  absence  of  a,  event  a  is  prohibited  to  occur  in 
any  subsequent  micro  step.  Our  approach  also  suggests  other  extensions  to  larger  fragments  of  intuitionistic 
logic,  such  as  “higher-order”  transitions,  e.g.,  {aD  b)  D  c,  which  may  be  explored  in  the  future. 

Our  framework  can  also  be  employed  for  analyzing  various  other  asynchronous  Statecharts  variants  with 
global  consistency.  One  example  is  the  work  of  Maggiolo-Schettini  et  al.  [15],  which  is  inspired  by  the 
process-algebraic  semantics  presented  in  [13,  18].  In  [15],  and  also  in  [14],  the  step-construction  procedure 
cannot  fail  since  a  transition  is  only  considered  to  be  enabled,  if  it  is  enabled  in  the  sense  of  Pnueli  and 
Shalev  and  if  it  does  not  produce  any  event  that  violates  global  consistency.  This  novel  semantics  is  specified 
using  a  notion  of  compatibility  [15]  which  introduces  a  look-ahead  concept  for  avoiding  failures  during  the 
construction  of  macro  steps.  As  an  example,  consider  configuration  C  =df  h  II  ^2,  where  ti 
t2  —^{b/a.  According  to  [15],  when  C  is  evaluated  in  the  empty  environment,  the  response  {a}  is  obtained: 
First,  transition  t2  fires  due  to  the  absence  of  event  b,  thereby  producing  event  a.  The  presence  of  a  now 
satisfies  the  trigger  of  ti .  Its  execution  would  introduce  event  5,  whence  transition  ti  is  incompatible  with  t2 
which  has  fired  due  to  the  absence  of  event  b.  Therefore,  transition  ti  is  disabled  in  [15].  In  Pnueli  and 
Shaiev’s  original  semantics,  however,  is  enabled  with  the  consequence  that  the  step  construction  is  forced 
to  fail.  The  difference  between  the  two  semantics  can  be  explained  in  terms  of  stabilization  sequences.  While 
Pnueli  and  Shalev  take  ti  to  stand  for  the  specification  a  D  b  and  t2  for  ->b  D  a,  Maggiolo-Schettini  et 
al.  apply  the  interpretation  a  D  {bV  ~^b)  for  and  ->b  D  {ay  -la)  for  t2-  Thus,  e.g.,  ti  is  read  as  “z/  a 
becomes  present  then  either  h  is  asserted  or  b  never  becomes  present.^’'  The  second  case  “6  never  becomes 
presenV^  accommodates  the  possibility  that  h,  even  though  its  trigger  a  is  satisfied,  is  not  taken  due  to  an 
incompatibility  with  another  transition  in  the  environment  that  requires  the  global  absence  of  b.  A  similar 
remark  applies  to  transition  ^2*  Indeed,  one  can  show  that  configuration 

Cenc  =df  ti  11^2  =  (aD  (6V-.6))  A  (-6D  (av-a)) 

possesses  {a}  as  a  response  model,  in  the  sense  of  Def.  3.3,  which  is  in  accordance  with  the  operational 
semantics  of  [15].  Note  that  this  encoding,  again,  crucially  depends  on  the  fact  that  a  V  -»a  differs  from  true 
in  intuitionistic  logic.  Generalizing  this  example,  we  conjecture  that  the  transition  semantics  of  [14,  15] 
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can  be  captured  in  terms  of  response  models  by  reading  a  transition  EjA  as  formula  E  D  [Ay  -lA).  Of 
course,  our  language  of  configurations  needs  to  be  extended  to  allow  disjunctions  as  part  of  transition  actions. 
We  further  want  to  remark  that  it  is  possible  to  translate  between  the  two  considered  semantics  [15,  17] 
using  our  framework.  For  instance,  the  sequence  model  semantics  of  Cenc  msiy  be  captured  by  configuration 
a/5  +  6/a.  This  configuration  has  the  same  operational  behavior  in  Pnueli  and  Shalev’s  step  semantics  as  C 
has  in  [15].  Moreover,  we  expect  that  our  semantics  may  also  be  useful  to  derive  full-abstractness  results 
for  the  semantics  in  [15]  and  other  Statecharts  semantics  with  global  consistency.  Especially,  lifting  our 
results  to  sequences  of  macro  steps  should  not  present  any  major  difficulties  when  employing  the  standard 
framework  of  transition  systems. 

Other  investigations  into  the  compositionality  problem  of  Statecharts  were  conducted  by  Uselton  and 
Smolka  [18]  who  model  Statecharts’  macro  steps  by  labeled  transition  systems  in  a  process-algebraic  style. 
They  achieve  compositionality  by  using  partial  orders  on  events,  which  encode  causality  information,  as 
transition  labels.  As  was  pointed  out  by  Levi  in  [13],  the  partial  orders  on  events  used  by  Uselton  and 
Smolka  are  not  sufficient  to  capture  Pnueli  and  Shale v’s  semantics  faithfully.  Levi’s  semantics  remedies 
the  problem  by  employing  partial  orders  on  sets  of  events.  Although  this  semantics  complies  with  the 
one  of  Pnueli  and  Shalev,  no  full-abstraction  result  is  presented.  It  should  be  noted  that  our  semantics, 
too,  uses  a  lattice-theoretic  structure  on  sets  of  events.  The  elements  (A,  L)  of  [C]2^  which  represent  the 
active  responses  of  C,  are  (D,  C)  sub-lattices  of  2^  that  correspond  to  the  transition  labels  in  Levi’s  work. 
The  main  difference  between  our  approach  and  the  ones  in  [13,  18]  is  that  our  lattices  do  not  contain  any 
negative  events,  whence  they  may  be  considered  more  semantic  in  nature.  The  precise  relationship  between 
our  semantics  and  that  of  [13]  still  needs  to  be  explored. 

Our  intuitionistic  approach  is  also  related  to  recent  work  in  synchronous  languages,  especially  Berry’s 
ESTEREL  [3].  In  ESTEREL,  causality  is  traditionally  treated  separately  from  compositionality  and  synchrony, 
as  part  of  type-checking  specifications.  If  the  (conservative)  type  checker  finds  causality  to  be  violated,  it 
rejects  the  specification  under  consideration.  Otherwise,  the  specification’s  semantics  can  be  determined  in  a 
very  simple  fashion,  since  one  may  —  in  contrast  to  Statecharts  semantics  —  abstract  from  the  construction 
details  of  macro  steps  while  preserving  compositionality.  This  was  shown  by  Broy  in  [5],  using  a  domain- 
theoretic  account  of  abstracting  from  a  sequence  of  micro  steps  to  a  macro  step  based  on  streams.  The  more 
recent  Version  5  of  ESTEREL,  however,  replaces  the  restrictive  treatment  of  causality  by  defining  a  semantics 
via  a  particular  Boolean  logic  that  is  constructive  [2],  as  is  intuitionistic  logics.  The  constructive  semantics 
of  ESTEREL  is  especially  interesting  since  it  relates  to  the  traditional  semantics  for  digital  circuits  [2,  4]. 

Denotational  semantics  and  full  abstraction  were  also  studied  by  Huizing  et  al.  [10,  11]  for  an  early  and 
lateron  rejected  Statecharts  semantics  [9].  In  particular,  that  semantics  does  not  consider  global  consistency, 
which  makes  their  result  largely  incomparable  to  ours.  Also,  the  abstractness  result  is  proved  with  respect 
to  a  richer  set  of  syntactic  operators  than  we  consider  here.  Finally,  it  should  be  mentioned  that  the  lack  of 
compositionality  of  Statecharts  semantics  inspired  the  development  of  new  visual  languages,  such  as  Alur  et 
al.’s  communicating  hierarchical  state  machines  [1],  Maranin chi’s  ARGOS  [16] ,  and  Leveson’s  RSML  [12]. 

6.  Conclusions  and  Future  Work,  To  the  best  of  our  knowledge,  this  is  the  first  report  to  present  a 
fully-abstract  Statecharts  semantics  for  Pnueli  and  Shalev’s  original  macro-step  semantics  [17].  The  latter 
semantics  was  found  to  be  non-compositional  as  it  employs  classic  logic  for  interpreting  macro  steps.  In 
contrast,  our  semantics  borrows  ideas  from  intuitionistic  logic.  It  encodes  macro  steps  via  stabilization 
sequences  which  we  characterized  using  semi-lattice  structures,  called  behaviors.  Behaviors  capture  the 
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interactions  between  Statecharts  and  their  environments  and  consistently  combine  the  notions  of  causality, 
global  consistency,  and  synchrony  in  a  model-theoretic  fashion.  Thus,  our  approach  suggests  a  model-based 
implementation  of  Pnueli  and  Shalev’s  semantics,  thereby  eliminating  the  need  to  implement  failure  via 
backtracking.  It  further  permits  the  introduction  of  more  general  trigger  conditions,  including  disjunctions, 
which  solves  some  of  the  difficulties  reported  in  [17]. 

Regarding  future  work,  several  further  theoretical  investigations  need  to  be  conducted.  First,  we  plan 
to  derive  a  fully-abstract  denotational  semantics  for  Statecharts  on  the  basis  of  our  results.  To  this  end,  we 
need  to  find  a  semantic  mapping  that  does  not  depend  on  a  syntactic  normalization.  Second,  the  macro-step 
semantics  for  single  configurations  should  be  lifted  to  the  full  Statecharts  semantics  which  involves  sequences 
of  macro  steps.  We  also  intend  to  employ  our  framework  for  developing  algebraic  characterizations  of  step 
congruence  and  for  uniformly  comparing  various  variants  of  Statecharts’  macro-step  semantics  studied  in  the 
literature  [13,  14,  15].  Practical  applications  of  our  work  include  semantic-based  program  transformations, 
abstract  analyses,  and  compositional  code  generation. 
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Appendix  A.  Proofs  of  Lemmas  4.4  and  4.10.  We  first  prove  Lemma  4.4. 

Proof.  First  note  that  we  may  assume  T  C  trans(C)  U  trans(D)  U  trans(5).  Otherwise,  T  would  not  be 
admissible  for  any  of  5  ||  (C  +  -D),  or  5  ||  (7,  or  S'  1|  D,  in  which  case  the  statement  of  the  theorem  would 
be  trivially  true.  Under  this  assumption,  then,  Conds.  (1)  T  H  trans(C)  ^  0,  (2)  T  D  trans(I>)  ^  0,  and 
(3)  T  C  trans(S)  cover  all  possible  cases.  We  first  derive  a  few  simple  facts  about  the  relationship  between 
function  enabled  for  S  |j  (C  +  J7),  on  the  one  hand,  and  enabled  for  S  \\  C  and  S  ||  D,  on  the  other  hand. 
We  start  off  by  stating  the  equality 

enabled(S||(C'  +  i)),E,T')  =  enabled(5  ||  (7,E,T0  U  enabled(S  ||  D,  F;,T0  (A.l) 

which  can  be  proved  by  a  straightforward  calculation  employing  the  definition  of  enabled.  Next,  observe 
that,  for  all  T”  C  trans(S  ||  C)  and  all  sets  T'  C  T  of  transitions,  we  have 

enabled(S  1|  {C  +  P), F;,T')  H T"  =  enabled(S  ||  C,E,r)nT”  (A.2) 

and,  symmetrically,  if  T"  C  trans(S  ||  L>),  then 

enabled(S  ||  (C  +  D),E,r)  H  T"  -  enabled(S  ||  D,EX)  H  T".  (A.3) 

The  proofs  of  these  statements  are  quite  easy,  as  in  the  first  case,  we  have  consistent(5  ||  (<7  +  L>),  T')  DT"  = 
consistent(5  ||  C,T')nT'';  in  the  second  case,  consistent(5  ||  {C  4*  D),T')nT”  =  consistent(5  |1  D,T')nT". 
Now  we  proceed  to  prove  our  distributivity  lemma.  We  begin  with  Case  (1),  i.e.,  Tntrans((7)  /  0.  Suppose 
that  T  is  £^-admissible  for  5  ||  (C  +  -D).  Since  T  contains  at  least  one  transition  from  C,  it  cannot  include 
any  transition  from  D;  otherwise,  T  would  not  be  consistent  for  5  ||  {C  +  J7).  Thus,  0  7^  T  C  trans(5  ||  C). 
The  property  of  E-admissibility  and  Prop.  (A.2)  imply 

T  =  enabled(5  II  (C  +  I)),E,T)  =  enabled(S' ||  C,E,T)  n  trans(5  ||  C)  -  enabled(5  ||  C,  E,r) .  (A.4) 

Now  let  T'  C  T  be  given.  Since  T  is  E-inseparable  and  T  C  trans(5  |1  (7),  we  have  by  Prop.  (A.2)  that 

enabled(5  II  C,E,T0n(T\T')  =  enabled(5  ||  (C  +  E),  E,  T')  n  (T  \  ^  0. 

Together  with  Prop.  (A.4),  this  shows  that  T  must  be  E-admissible  for  S  \\  C.  Vice  versa,  if  T  is  E- 
admissible  for  5  ||  (7,  then  0  7^  T  C  trans(5  |1  (7),  too.  Again,  Prop.  (A.4)  implies  that  T  is  E-admissible 
for  S  \\  {C  +  D).  Case  (2)  is  handled  completely  symmetrically  to  Case  (1),  using  Prop.  (A.3)  to  establish 
T  =  enabled(5  ||  (<7  +  E),E,r)  ==  enabled(5  1|  E,E,T)  as  well  as  the  E-inseparability  of  T  for  S  ||  D. 

It  remains  to  consider  Case  (3),  i.e.,  T  C  trans(5);  in  particular,  T  C  trans(5  ||  C).  K  T  is  E-admissible 
for  5  II  ((7  +  E),  then  T  =  enabled(5  ||  (C  +  E),E,T).  We  use  Prop.  (A.2)  to  obtain  enabled (5  H  C,E,T)  = 
enabled(5  ||  C,E,T)  fi  T  =  enabled(5  ||  ((7  +  E),E,T)  n  T  =  T.  We  can  also  employ  Prop.  (A.2) 
to  show  that  T  is  inseparable  for  5  ||  C.  If  T'  C  T,  then  (T  \  V)  C  trans(5);  as  a  consequence, 
enabled(5  ||  C,E,r)  n  (T  \  T)  =  enabled(5  ||  (<7  +  E),E,r)  fi  (T  \  T)  f  0,  where  the  inequality 
is  due  to  the  E-inseparability  of  T  with  respect  to  iS  ||  (C  +  E)  and  to  the  first  equation  derived  from 
Prop.  (A.2).  This  completes  the  proof  that  T  is  E-admissible  for  S  \\  C.  In  an  analogous  fashion,  one  can 
show  that  T  is  E-admissible  for  SHE  using  Prop.  (A.3).  For  the  other  direction  of  Case  (3),  assume  that 
T  C  trans(5)  is  E-admissible  for  both  S  ||  C  and  S  ||  E.  From  Prop.  (A.l),  for  arbitrary  T'  C  T,  we  conclude 
enabled(5  ||  {C  +  D),E,T)  =  enabled(5  1|  (7,E,T')  Uenabled(S  ||  D,E,T).  An  immediate  consequence  of 
enabled(5  ||  C,E,T)  =  T  =  enabled(S  ||  E,E,T)  is  that  enabled(S  ||  {C  +  E),E,T)  =  T.  Moreover,  for  any 
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r  C  T,  and  since  enabled (5  ||  C,E,T')r\{T\T')  5.^  0,  we  also  have  enabled(5  ||  {C  +  D),E,T')f\{T\T')  ^  0. 
Thus,  T  is  E-admissible  for  5  ||  (C  +  L>).  □ 

We  are  now  able  to  establish  Lemma  4.10, 

Proof,  [Lemma  4.10]  For  proving  direction  suppose  that  C  D.  By  Assumption  (ii)  this  is 

equivalent  to  C  D,  i.e.,  we  have 

{{C  II  P)  A  and  p{C,  A)  =  b)  if  and  only  if  {{D  ||  P)  A  and  p{D,  A)  =  &) ,  (A.5) 

for  all  parallel  configurations  P  €  PC,  event  sets  E,  A  C^n  H,  and  6  G  B.  We  must  show  that 

^C]  A  if  and  only  if  ^D]  A ,  (A.6) 

for  all  contexts  ^[x]  G  C/  and  E,  A  C^n  II.  We  shall  prove  the  following  somewhat  stronger  invariant  by 
induction  on  the  structure  of  contexts  ^[x].  For  every  configuration  5  G  C  and  every  set  Ti  of  transitions 
such  that  Ti  is  admissible  for  S  ||  ^[C],  there  exists  a  set  T2  of  transitions,  which  is  admissible  for  5  || 
such  that 

act(Ti)  -  act(r2),  (A.7) 

Tintrans(5)  =  T2  D  trans(5) ,  and  (A.8) 

Ti  C  trans(5)  if  and  only  if  T2  C  trans(5) .  {A.9) 

Observing  that  any  initial  set  E  of  environment  events  may  be  accounted  for  in  configuration  S ,  it  imme¬ 
diately  follows  that  A  implies  ^[D]  A.  Since  the  other  direction  is  obtained  by  symmetry, 

the  proof  of  direction  “4=”  of  the  proposition  is  then  completed.  In  the  following,  we  first  deal  with  the 
induction  step  and  subsequently  with  the  slightly  more  complicated  base  case. 

•  Case  =  E  ||  ^[x]  is  a  trivial  application  of  the  induction  hypothesis  which  is  phrased  so  that  it 
quantifies  over  arbitrary  parallel  contexts.  Note  that  ^[x]  G  C/  by  Prop,  (i)  for  fragment  C/  (closure 
under  sub-configurations).  Let  Ti  be  admissible  for  5  ||  E  ||  ^[(7).  When  taking  =df  *5*  ||  i?  and 
applying  the  induction  hypothesis  to  5'  ||  ^[C],  we  obtain  a  set  T2  of  transitions  which  is  admissible 
for  5  II  E  II  ^[E],  such  that 

act{Ti)  =  act(r2) , 

Ti  n  trans(5  ||  R)  -  T2  H  trans(5  ||  R) ,  and 

Ti  C  trans(5'  ||  R)  if  and  only  if  T2  C  trans(5  |1  R) . 

The  first  equality  yields  Equation  (A.7).  Moreover,  since  trans(5  ||  R)  —  trans(»S')  U  trans(E)  and 
trans(5)  fl  trans(E)  =  0,  the  last  two  equivalences  imply  Ti  n  trans(5)  =  T2  H  trans(5),  as  well  as 
Ti  C  trans(5)  if  and  only  if  T2  C  trans(5),  as  required  for  Props.  (A.8)  and  (A.9). 

•  When  the  context  is  of  form  $[x]  =  R  +  for  some  ^[x]  G  C/,  we  let  Ti  be  admissible  for 

5  II  (E  +  Lemma  4.9  (distributivity)  we  have  to  consider  three  cases: 

1.  Ti  n  trans(i^)  ^  0,  and  T  is  admissible  for  S'  ||  E. 

2.  Ti  n  trans(^[C'])  ^  0,  and  Ti  is  admissible  for  S  H  ^[C] . 

3.  Ti  C  trans(S),  and  Ti  is  admissible  for  both  S  \\  R  and  S  ||  ^[C] . 

In  Case  (1),  we  immediately  have  that  Ti  is  admissible  for  S  |1  (E  +  ^[^]),  simply  by  applying 
Lemma  4.9(1)  backwards.  Hence,  we  may  choose  T2  =df  satisfy  Equations  (A.7)“(A.9).  In 
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Cases  (2)  and  (3),  we  appeal  to  the  induction  hypothesis  as  applied  to  context  This  yields  a 
set  T2  of  transitions,  which  is  admissible  for  5  i|  ^[D].  with  the  properties 

act(Ti)  =  act(T2) , 

Ti  n  trans(5)  -  T2  fl  trans(5) ,  and 

Ti  C  trans(5)  if  and  only  if  T2  C  trans(5) . 

This  proves  Props.  (A.7)“(A.9)  for  Cases  (2)  and  (3)  together.  What  remains  to  be  seen  is  that  T2 
is  admissible  for  5  |1  (jR  +  ^[-D]).  We  demonstrate  this  separately  for  Cases  (2)  and  (3). 

Let  Case  (2)  be  given,  i.e.,  T\  ntrans(^[C])  /  0.  This  implies  Ti  2  trans(5),  whence  T2  2  trans(5) 
by  Prop.  (A.9).  Since  T2  C  trans(5  ||  ^[D])  we  obtain  T2ntrans(^[D])  7^  0.  According  to  Lemma  4.9 
(distributivity) ,  T2  is  admissible  for  5  ||  (i?  -f  which  was  to  be  shown. 

Finally,  suppose  we  have  Case  (3),  i.e.,  Ti  C  trans(5),  and  Ti  is  admissible  for  S  ||  R.  By  Prop.  (A.9), 
T2  C  trans(5)  and,  further,  Ti  =  Ti  fl  trans(5)  =  T2  fi  trans(5)  =  T2  by  Prop.  (A. 8).  But  then  T2  is 
admissible  not  only  for  5  ||  ^[D]  but  also  for  5  ||  R.  Hence,  T2  is  admissible  for  5  ||  {R-\-  by 
Lemma  4.9.  This  completes  our  consideration  of  context  ^[x]  =  R  +  '^[x]. 

•  It  remains  to  prove  the  base  case  ^[x]  =  x.  Suppose  T\  is  admissible  for  5  ||  $[C']  —  S  ||  (7, 
where  5  G  C  is  an  arbitrary  configuration.  Let  S\  be  the  parallel  composition  of  all  transitions 
from  5  that  are  contained  in  Ti.  We  will  use  5i  to  refer  both  to  this  parallel  configuration  as  well  as 
to  the  subset  of  transition  names  of  Ti ,  depending  on  the  context.  It  is  not  difficult  to  show  that  Ti  is 
admissible  for  5i  ||  C,  whence  (5i  ||  C)  >1]-  act(Ti).  By  Assumption  (A.5),  then,  {Si  ||  D)  act(Ti), 
i.e.,  there  must  exist  a  set  of  transitions  such  that  T2  C  trans(Si  1|  D)  C  trans(5  1|  D)  and  such 
that  T2  is  admissible  for  5i  ||  £>  and 

A  =df  act(T2)  =  act(Ti) ,  and  (A.IO) 

triggered (C,  A)  =  0  if  and  only  if  triggered(D,  A)  =  0  .  (A. 11) 

Note,  Prop.  (A.ll)  is  equivalent  to  p{C,A)  =  p(D,  A).  From  Props.  (A.IO)  and  (A. 11)  it  follows,  so 
we  claim, 

Ti  n  trans(5)  :=  T2  Pi  trans(5) ,  and  (A.12) 

Ti  C  trans(5)  if  and  only  if  T2  C  trans(5') .  (A. 13) 

Because  of  Ti  C  trans(*Si  |1  C)  and  T2  C  trans(ASi  ||  D)^  Prop.  (A.12)  is  equivalent  to  Ti  ntrans(5i)  = 
T2  n  trans(5i).  The  argument  behind  this  is  as  follows.  Since  Si  is  a  parallel  composition  of  single 
transitions  and  since  Ti  is  admissible  for  Si  ||  (7,  set  Ti  ntrans(5i)  must  consist  precisely  of  all 
transitions  of  S\  that  are  enabled  by  A.  Hence,  Ti  ntrans(5i)  =  triggered(5i,  A).  The  same  is  true 
of  T2.  Hence,  Ti  fl  trans(5i)  =  T2  n  trans(5i),  as  desired,  which  proves  Prop.  (A.12). 

Prop.  (A. 13)  is  a  consequence  of  Prop.  (A.ll).  Since  Ti  is  admissible  for  Si  ||  (7,  we  have 
Ti  =  consistent(5i  ||  C,Ti)  Pi  triggered (^i  ||  (7,  A).  This  implies  that  Ti  C  trans(5i)  is  equivalent 
to  triggered (C,  A)  =  0.  For  if  Ti  C  trans(5i),  then  triggered (C,  A)  C  (trans(5i)  U  trans((7))  H 
(triggered (5i,  A)  U  triggered((7,  A))  =  consistent(5i  \\  <7,Ti)  Pi  triggered (5i  ||  C,  A)  =  Ti  C  trans(S'i). 
This  can  only  be  true  if  triggered  (C,  A)  =  0.  Vice  versa,  suppose  Ti  2  trans(5i).  As  Ti  C  trans(S'i)U 
trans(<7),  this  means  Ti  Pitrans((7)  7^  0.  But  then,  because  of  Ti  Pi trans(C')  =  consistent(5i  ||  C,Ti)Pi 
triggered(5i  ||  (7,  A)  PI  trans((7)  C  triggered(5i  ||  C,A)  n  trans((7)  =  triggered ((7,  A),  we  must  have 


34 


triggered ((7,^)  ^  0.  In  an  analogous  fashion  one  shows  that  T2  C  trans(5i)  is  equivalent  to 
triggered (J7,  A)  =  0,  using  the  admissibility  of  T2  for  5i  ||  D.  This  proves  that  Prop.  (A.13)  di¬ 
rectly  follows  from  Prop.  (A.  11). 

We  are  now  left  with  the  task  of  verifying  that  T2  is  admissible  for  5  ||  P.  We  know  that  T2  is 
admissible  for  5i  ||  D  and  that  Ti  is  admissible  for  5  ||  C.  Also,  iSi  =  Ti  D  trans(5)  =  T2  H  trans(5) 
and  act(Ti)  =  act(T2)  =  A.  We  calculate  as  follows: 

enabled(5  ||  D,0,T2)  ntrans(5) 

=  consistent(5  ||  D^T^)  ntriggered(5  ||  D,A)  ntrans(5) 

=  consistent(5,  T2  0  trans(5))  D  triggered(5  ||  D,  A)  fl  trans(5) 

=  consistent(5, Ti  ntrans(5))  ntriggered(5  ||  C,A)  ntrans(5) 

=  consistent(5  ||  C,  Ti)  D  triggered(5  ||  (7,  A)  0  trans(5) 

=  enabled(5  1|  (7, 0,  Ti)  n  trans(5) 

=  Ti  n  trans(5) 

^  T2  n  trans(5) .  (A.14) 

The  next  to  last  equation  follows  from  the  admissibility  of  Ti  for  5  ||  C.  Moreover,  we  have 

enabled(5  ||  0, T2)  fl  trans(j7) 

=  consistent(5  ||  D,T2)  fl  triggered(5  ||  D,A)  D  trans(J7) 

—  consistent(D,T2)  Pt  triggered (J7,  A)  ntrans(J7) 

—  consistent(S'i  ||  D,T2)  D  triggered(5i  ||  D,A)  ntrans(r>) 

=  enabled(5i  ||  D,  0,  r2)  fl  trans(r>) 

=  T2  n  trans(i:)) .  (A.15) 

The  last  step  is  due  to  the  admissibility  of  T2  for  ||  D.  Since  T2  C  trans(5  ||  T))  —  trans(*S')  U 
trans(Z)),  Props.  (A.14)  and  (A.15)  imply  T2  =  enabled(S'  |1  D,0,T2).  Finally,  the  inseparability 
of  T2  for  5  11  D  follows  from  the  fact  that  enabled(5i  ||  D,0,r')  C  enabled(5  ||  D,0,r'),  for  all 
T'  C  T2,  and  from  the  inseparability  of  T2  for  5i  \\  D. 

This  completes  the  first  part  of  the  proof  of  Lemma  4.10,  namely  that  C  D  implies  C  c:if  D. 

Now  we  tackle  the  other  direction  of  the  proposition  under  consideration,  i.e.,  we  prove  that 

C  D  entails  C  D.  Let  us  assume  C  c:if  D.  Thus,  C  and  D  have  the  same  responses  in  all  C/- 
contexts.  In  particular,  then,  they  have  the  same  responses  in  all  parallel  C/"Contexts,  i.e.,  {C  ||  P)  A 
if  and  only  if  (D  ||  P)  A,  for  all  P  G  PC/  and  P,  A  C^n  H.  This  is  because  $[a:]  =df  a;  1|  P  is  simply 
a  special  context  in  C/,  by  virtue  of  the  closure  properties.  To  obtain  C  :^/  P,  however,  we  must  also 
verify,  for  all  responses  A,  that  A  is  active  for  (7  if  and  only  if  A  is  active  for  D.  We  prove  this  property  by 
contradiction.  Suppose  that,  for  some  P  G  PC  and  P,  A  Cfin  H,  we  have  {C  ||  P)  A  and  {D  |1  P)  A, 
but  p{C,  A)  ^  p(P,  A).  We  may  assume  w.l.o.g.  that  P  =  0,  as  P  can  always  be  accounted  for  in  P,  and  that 
triggered  ((7,  A)  =  0  but  triggered  (P,  A)  0.  Hence,  no  transition  of  C  is  triggered  in  A,  but  some  transitions 
of  P  are.  We  are  going  to  exhibit  a  context  ^[x]  G  C/  such  that  $[P]  ^  A  but  $[(7]  ^  A.  Let  e  G  H  be 
some  fresh  event  that  does  not  already  occur  in  either  C  or  P.  Consider  the  context  $[a:]  =df  (ti  +  a^)  ||  ^2j 
where  is  the  transition  -/e  and  where  t2  is  the  transition  -/A.  By  Assumption  (i)  about  fragment  C/,  we 
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conclude  ^[x]  e  C/.  We  claim  that  (1)  $[D]  ^  A  and  (2)  $[C]  ]jf-  A.  As  for  (1),  we  argue  as  follows.  The 
given  response  {D  \\  P)  A  implies  that  there  exists  a  set  T  of  transitions  which  are  admissible  for  D  ||  P, 
such  that  A  =  act(r).  We  claim  that  Ti  =df  (T  Pi  trans(i^))  U  {^2}  is  admissible  for  D  ||  ^2-  First  of  all, 

Ti  =  (Tntrans(D))U{i2} 

=  (consistent(D  ||  P,T)  ntriggered(D  ||  P,A)  fi  trans(D))  U  {^2} 

=  (consistent(r),T)  H  triggered(D,  A))  U  {^2} 

=  consistent(iI>  ||  t2,Ti)  ntrlggered(D  ||  t2,A) 

—  consistent(jD  1|  ^2,Ti)  n  triggered(i)  ||  i2,3Ct(Ti)) 

=  enabled(Z)  ||  i2,0,Ti) . 

We  wish  to  show  that  Ti  is  also  inseparable  for  ||  ^2-  To  this  end,  assume  V  C  Ti.  We  must  prove  that 
there  exists  a  transition  t  gTi\T^  that  is  triggered  by  the  events  in  act(T').  Of  course,  ^2  is  always  triggered, 
so  if  ^2  G  Ti  \  T\  then  we  are  done.  Assume  ^2  G  T\  This  implies  A  C  act(T^),  which  means  by  construction 
of  Ti  that  act(r')  triggers  all  transitions  in  Ti.  Hence,  we  may  choose  any  transition  t  eTi  \T'  to  witness  the 
inseparability  of  Ti.  Thus,  we  have  shown  that  Ti  is  admissible  for  D  ||  ^2-  We  also  have  by  our  assumptions 
that  triggered(D,  A)  /  0,  i.e.,  at  least  one  transition  of  D  is  enabled  by  A,  so  that  Ti  n  trans(D)  ^  0.  We 
may  now  apply  Lemma  4.9  (distributivity)  to  conclude  that  Ti  is  admissible  for  {ti  +  D)  ||  t2  =  As 

A  =  act(Ti),  this  yields  $[Z)]  JJ^  A.  Surely,  e  ^  A  since  the  transitions  in  Ti  does  not  mention  event  e  at  all. 

It  remains  to  be  seen  that  $[C]  ^  A.  We  establish  this  statement  by  showing  that  event  e  must  be 
contained  in  all  responses  of  ^[(7].  In  essence,  we  prove  that  the  only  response  of  ^[C]  is  A  U  {e}.  Let  T 
be  an  admissible  set  of  transitions  for  ^[C]  =  (ii  +  C)  ||  ^2-  We  first  observe  that  T  cannot  include  any 
transition  from  C.  Otherwise,  T  would  have  to  be  admissible  for  C  ||  t2  by  Lemma  4.9.  Clearly,  ^2  G  T, 
since  t2  is  unconditionally  enabled  and  consistent  with  all  transitions  of  C  1|  ^2*  But  then  {^2}  C  T  and, 
due  to  the  inseparability  of  T,  there  would  have  to  exist  some  transition  t  e  T  \  {^2}  that  is  triggered  by 
act({f2})  =  A.  This  transition  t  would  have  to  come  from  configuration  C.  But  this  is  impossible  since 
triggered (C7,  A)  =  0  by  our  initial  assumption,  i.e.,  configuration  C  does  not  contain  any  transition  enabled 
by  A.  Hence,  T  Pi  trans((7)  =  0.  Lemma  4.9  then  implies  that  T  must  be  admissible  for  ti  |1  ^2*  Since  both 
transitions  ti  and  t2  are  unconditionally  enabled  and  consistent  with  each  other,  we  have  T  —  {^1,^2}*  Thus, 
any  response  act(T),  for  every  admissible  set  T  for  $[C],  must  be  identical  to  A  U  {e}.  0 

Appendix  B.  Proof  of  Lemma  4.4  (Expansion).  For  notational  convenience,  we  introduce  the 
abbreviations  C  =df  {P  +  Q)  ||  and  D  =df  (watch(P,  Q)  |1  P  ||  i^)  +  (watch(Q,P)  ||  Q  ||  P),  We  tacitly 
assume  that  the  transitions  in  both  copies  of  R  in  the  expansion  D  are  named  apart  To  indicate  the  two 
copies  of  R  we  use  the  notations  R^  and  R^  for  the  left  and  right  occurrences,  respectively.  By  Prop.  4.1, 
(7  cri  D  if  and  only  if  for  all  parallel  configurations  5  €  PC  and  A  Cfin  H: 

1.  {C  II  5)  U  A  implies  {D  ||  5)  A  and  p((7,  A)  =  p(i7.  A). 

2.  {D  II  5)  J)'  A  implies  (C  1|  5)  ^  A  and  p(C,  A)  =  p(I>,  A). 

It  is  easy  to  see  that  p((7.  A)  =  p(D,A)  whenever  A  is  a  response  of  both  (7  ||  5  and  £>  ||  5.  The  only 

possible  situation  where  some  transition  in  one  of  C  and  D  is  triggered  but  none  in  the  other,  would  be 

when  A  enabled  one  of  the  watchdogs  in  P,  as  these  transitions  are  not  contained  in  C.  But  this  cannot  be 
the  case  since  then  response  A  would  contain  event  ±.  In  fact,  no  transitions  of  any  watchdog  can  ever  be 
enabled  in  a  response  A.  Thus,  condition  p(C,  A)  =  p(P,  A)  holds  in  Statements  (1)  and  (2). 
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For  Statement  (1),  we  assume  that  {C  ||  S)  Ay  i.e.,  ((P  +  Q)  ||  P  ||  S)  'll  A.  Further,  we  let 
T  C  trans((P  +  Q)  |1  P  ||  5)  be  a  corresponding  set  of  admissible  transitions  with  act(r)  =  A.  By  Lemma  4.9, 
we  have  the  following  three  cases  to  consider: 

T  is  admissible  for  (P  ||  P  ||  5) ,  and  T  n  trans(P)  7^  0  .  (B-1) 

T  is  admissible  for  (Q  ||  P  ||  5) ,  and  T  0  trans(Q)  ^  0 .  (B-2) 

T  is  admissible  for  both  P  ||  P  ||  5  and  Q  ||  P  ||  5 ,  and  T  C  trans(P  ||  5) .  (B*3) 

In  Case  (B.l),  triggered (P,  A)  7^  0,  so  the  watchdog  watch(P,  Q)  is  switched  off,  i.e.,  all  transitions  are 
disabled.  Hence,  T  is  admissible  for  watch(P,  (J)  ||  P  ||  P^  ||  5.  Please  recall  the  watchdog  property  (cf. 

Prop.  4.3),  namely  that  T  is  admissible  for  watch(P,  Q)  ||  P  ||  P^  ||  S  if  and  only  if  T  is  admissible  for 

P  II  P^  II  S  and  triggered(P,^)  /  0  or  triggered(Q,^)  =  0,  where  A  =  act(T).  But  T  is  admissible  for 
watch(P,Q)  II  P  II  P^  II  S  and  T  n  trans(P)  7^  0,  i.e.,  T  D  trans(watch{P,Q)  ||  P  1|  P^  /  0,  which  implies 
(D  II  5)  'll  A  by  Lemma  4.9.  This  proves  Statement  (1)  in  Case  (B.l).  Case  (B.2)  is  completely  symmetric. 
Finally,  consider  Case  (B.3),  in  which  no  transitions  of  P  or  Q  can  be  enabled,  so  both  watchdogs  watch (P,  Q) 
and  watch((3,P)  are  switched  off.  Then,  T  must  be  admissible  for  both  watch(P,  Q)  1|  P  ||  B}  ||  5  and 
watch((3,P)  II  Q  II  W  II  Sy  when  invoking  the  watchdog  property  (cf.  Prop.  4.3).  If  T  C  trans(5),  then  T 
is  admissible  for  £?  |1  P  by  Lemma  4.9.  This  shows  (P  ||  5)  .(I  If  T  Pi  trans(P)  7^  0,  then  T  is  admissible 
for  watch(P,  Q)  ||  P  ||  P^  ||  S.  From  Lemma  4.9  again,  we  infer  that  T  must  be  admissible  for  P  ||  5,  so 
(P  II  5)  'll  as  desired. 

Now  we  show  Statement  (2)  starting  from  (P  ||  5)  Jl  Let  T  with  act(r)  —  A  be  an  admissible  set 
of  transitions  for  ((watch(P,  Q)  ||  P  ||  P^)  +  (watch(Q,P)  ||  Q  ||  P^))  ||  5.  Again,  we  use  Lemma  4.9  to 
distinguish  the  following  three  possible  situations: 

T  is  admissible  for  watch (P,  Q)  ||  P  ||  P^  ||  5 ,  and  T  fl  tra ns( watch (P,  0)  ||  P  ||  P^)  7^  0  ■  (^*4) 

T  is  admissible  for  watch(Q,  P)  ||  Q  ||  P^  ||  P,  and  T  Pi  tra ns( watch (Q,  P)  ||  Q  ||  R^)  7^  0 .  (^*5) 

T  is  admissible  for  watch(P,  Q)  ||  P  ||  P^  ||  S  and  watch(Q,P)  1|  Q  ||  P^  ||  P,  and  T  C  trans(P) .  (B.6) 

In  Case  (B.4),  if  T  is  admissible  for  watch(P,  Q)  ||  P  1|  P^  ||  P,  then  no  transition  of  watchdog  watch(P,  Q) 

can  be  enabled;  otherwise,  A  —  act(r)  would  contain  event  -L.  Thus,  T  C  trans(P  ||  P^  1|  P),  whence 
T  n  trans(P  ||  ff)=Tn  trans(watch(P,  Q)  ||  P  |1  P^  ^  0,  and  T  is  admissible  for  P  ||  P^  ||  P.  Consequently, 
T  is  admissible  for  P  1|  P  ||  P.  As  watch(P,  Q)  is  disabled  by  A,  we  know  that  P  must  be  enabled  or  Q 
be  disabled.  In  the  first  case,  T  0  trans(P)  ^  0,  so  by  application  of  Lemma  4.9  we  conclude  that  T  is 
admissible  for  (P  +  Q)  |1  P  ||  P,  which  proves  {C  ||  P)  -H  A.  If,  however,  Tfl  trans(P)  =  0,  then  we  also  have 
T  n  trans(Q)  =  0  since  then  Q  is  disabled  by  A.  This  means  T  C  trans(P^  ||  P)  and  T  must  be  admissible 
for  both  P  II  P  II  P  and  Q  ||  P  ||  S.  Lemma  4.9  yields  that  T  is  admissible  for  C  ||  P,  whence  {C  1|  P)  i|  A. 
Case  (B.5)  is  symmetric  and,  therefore,  omitted.  Case  (B.6)  remains  to  be  checked.  In  this  situation, 
the  response  stems  from  P  alone,  as  no  transition  in  (watch(P,  Q)  ||  P  ||  P^)  +  (watch((5,P)  ||  Q  ||  P^) 
is  enabled.  As  a  consequence,  no  transition  in  P  +  Q  is  enabled,  either.  Since  T  is  admissible  for  both 
watch(P,Q)  II  P  II  P^  II  P  and  watch(<3,P)  1|  Q  ||  ||  P,  by  the  properties  of  watchdogs  (cf.  Prop.  4.3), 

T  is  admissible  for  P  ||  P^  1|  P  and  Q  |1  R^  ||  P  at  the  same  time.  Moreover,  since  T  does  not  contain 
any  transitions  from  R^  and  R\  it  must  then  be  admissible  for  both  P  ||  P  1|  P  and  Q  ||  P  ||  P-  Finally, 
T  C  trans(P)  implies  T  C  trans(P  |1  P),  so  that  Lemma  4.9  may  be  used  to  show  that  T  is  admissible  for 
C  II  P.  Hence,  (C  ||  P)  'll  A.  This  completes  the  proof  of  Lemma  4.4. 
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Appendix  C.  Alternative  Approach:  Encoding  the  Choice  Operator.  Another  way  for  obtain¬ 
ing  a  fully-abstract  semantics  for  Statecharts,  based  on  our  results  for  the  parallel  fragment  presented  in 
Sec.  3,  is  to  eliminate  the  choice  operator  by  syntactic  encoding  using  the  parallel  operator.  The  advantage 
of  such  a  method  over  the  one  employed  in  Sec.  4  is  that  we  can  use  the  simpler  semantics  of  the  parallel 
fragment  of  our  configuration  algebra,  namely  behaviors,  as  opposed  to  the  more  involved  contexts  and  en¬ 
abling  information.  However,  the  alternative  method  is,  again,  not  purely  semantic  as  it  involves  a  syntactic 
transformation  process. 

The  key  observation  for  the  work  in  this  section  is  that  the  choice  operator  -h  may  be  eliminated  in  terms 
of  the  parallel  operator  ||  by  using  transition  names  as  special  events.  Intuitively,  the  event  represented  by 
a  transition  name  t  G  T,  which  we  refer  to  as  transition  event,  indicates  that  “transition  t  has  fired^ 
Technically,  we  let  11+  =df  H  U  T  denote  the  extended  set  of  events.  The  idea  behind  our  encoding  is  to 
implement  the  constraint  of  the  operational  semantics,  which  governs  the  handling  of  +,  explicitly  in  terms 
of  transition  events.  More  precisely,  for  every  configuration  C  and  set  T  C  T  of  transition  names,  we  define  a 
parallel  configuration  that  is  equivalent  to  C  under  the  assumption  that  no  transition  from  T  is  executed 
together  with  a  transition  in  C,  i.e.,  parameter  T  in  translation  represents  a  set  of  transitions  that  must 
be  orthogonal  to  all  transitions  in  (7.  In  our  encoding  we  achieve  this  by  adding  T  as  negative  trigger  events 
to  all  transitions  in  C.  At  the  same  time,  we  add  to  every  transition  t  in  C  its  transition  name  f  as  a  new 
event  to  its  action,  so  that  whenever  t  is  fired  this  fact  is  signaled  to  the  environment.  Transition  event  t 
can  be  used  by  the  environment  to  block  those  transitions  that  are  not  orthogonal,  or  inconsistent,  to  i.  As 
an  example,  consider  configuration 

{{ti  :  a/b  +  t2  :  b/c)  ||  ts  :  c/d)'^  (^i  :  h^alb^h)  ||  (^2  :  ii,b/c,t2)  ||  h  :  cjd. 

The  mutual  exclusion  of  transitions  ti  and  t2  is  now  generated  by  the  event  signaling  scheme  regarding 
transition  events  ti  and  ^2-  However,  in  the  encoding,  actions  will  no  longer  be  uniquely  determined  by 
transition  names.  Hence,  the  actions  generated  by  a  given  set  T  of  transitions  now  depend  on  configuration  C. 
To  account  for  this,  we  replace  act(T)  by  the  notation  generated (C,  T)  in  the  sequel. 

We  now  formalize  our  translation.  Let  T  T  be  a  finite  set  of  transition  names  and  <7  be  an  arbitrary 
configuration.  We  define  the  encoding  of  C  relative  to  T  inductively  along  the  structure  of  C. 

(t  :  P,NIA)j  =df  t  :  P,7nJT/AU{t} 

(Cl  II  6-2)+  =df  (Ci)+  II  {C2)i 

{Cl  +  C2)t  =df  (C'l)Jutrans(C2)  II  (^2)Jutrans(Ci) 

For  notational  convenience,  we  often  write  C"*"  instead  of  C^.  Observe  that  C  and  C"*"  have  exactly  the  same 
transition  names,  i.e.,  trans((7)  =  trans{(7+).  The  difference  between  the  two  configurations  is  that  transitions 
in  (7+  have  additional  negative  triggers  and  action  events.  More  precisely,  each  transition  t  :  P,NfA  in  C 
corresponds  to  transition  t  :  P,N  [JN'/A,t  in  C+,  where  =df  trans(<7)  \  consistent((7,  {t}).  In  other 
words,  the  additional  negative  triggers  are  the  names  of  all  transitions  which  are  in  conflict  with  t,  and 
the  extra  action  is  the  transition  name  t.  Hence,  generated((7+,T)  =  generated((7, T)  U  T.  The  equivalence 
between  C  and  (7+  is  highlighted  by  the  following  lemma  which  implies  that  a  finite  set  T  of  transitions  is 
E-admissible  for  (7  if  and  only  if  it  is  ^-admissible  for  (7+, 

Lemma  C.l.  Let  C  be  a  configuration  and  E  a  set  of  events,  which  do  not  contain  any  transition  event 
Then,  enabled{C,E,T)  —  enabled{C'^  ,E,T)  holds,  for  every  setT  C  trans{C)  of  transitions. 
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Proof.  Recall  that  trans(C)  =  trans(C'^).  Let  T  C  trans(C)  be  chosen  arbitrarily.  The  equation 
emb\ed{CjE^T)  —  enabled(C''^, E,T)  is  equivalent  to 

consistent(C,  T)  n  triggered(C5  E  U  generated(C',  T))  — 

consistent((7‘^,T)  ntriggered((7'^5EUgenerated((7‘^,T)) . 

Let  t  e  consistent(C,  T)  D  triggered U  generated (CjT)).  As  C'^  e  PC,  we  have  consistent((7“*",T)  — 
trans((7“^),  whence  t  e  consistent(C'^,T).  It  remains  to  show  t  e  triggered((7+,JS  U  generated (C‘^,T)). 
We  know  that,  if  t  is  of  form  t  :  P^Nf A  in  C,  then  it  must  look  like  t  :  P^N  U  /A,t  in  C"*",  where 
N'  =df  trans(C)  \  consistent((7,  {t}).  Since  t  E  t rigge red (C,  U  generated (C',r))  and  generated ((7+,T)  = 
generated (CjT)  U  T,  we  just  need  to  show  that  iV  n  T  =  0  and  N'  fl  (generated ((7,  T)  U  T)  —  0.  The 
former  follows  from  the  fact  that  C  does  not  use  transition  events,  and  also  TV'  n  generated((7,r)  =  0 
holds  for  the  same  reason.  The  missing  piece  is  TV'  ft  T  =  0  which  can  be  established  as  follows.  By 
assumption,  t  6  consistent(C,  T)  and,  thus,  T  C  consistent(C,  {^}),  by  the  property  of  consistency.  But  as 
TV'  =  trans(C)  \  consistent((7,  {i}),  the  desired  result  is  immediate. 

For  the  other  direction,  assume  t  G  consistent((7'^,r)  n  triggered  U  genera  ted  (C'*",T)),  which  is 

equivalent  to  t  £  triggered(C“‘“,  E  U  generated T))  because  of  consistent(C'+,T)  =  trans((7"*').  Suppose  t 
in  (7"*"  has  the  form  t  :  P,  TVU  N' /A,t,  where  TV'  =  trans(C')  \  consistent(C',  {t}).  Since  t  is  triggered  in  C'^ 
by  E  U  generated(C+,  r)  =  E  U  generated (C,T)  U  T,  we  must  have 

P  C  E  U  generated (C,  T)  ur  and  (C.l) 

(TVuArOn(EUgenerated(C',T)UT)  =  0.  (C.2) 

As  P  cannot  contain  any  transition  name,  Prop.  (C.l)  implies  P  C  E  U  generated (C,T).  This  yields 
the  first  half  of  the  argument  that  t  is  triggered  in  C  by  E  U  generated  (C,r).  Recall  that  t  in  (7  is 
t  :  P,N/A.  The  second  half,  thus,  is  to  show  that  TV  H  (E  U  generated ((7,  T))  =  0.  But  this  is  an 
immediate  consequence  of  Prop.  (C.2),  i.e.,  t  e  triggered((7,E  U  generated ((7, T)),  too.  It  remains  to  be 
seen  why  t  £  consistent((7,  T).  Here  we  can  use  TV'  =  trans((7)  \  consistent((7,  {t})  in  conjunction  with 
Prop.  (C.2).  This  property  implies  that  TV'  and  T  are  disjoint,  which,  because  of  T  C  trans((7),  means 
T  C  consistent ((7,  {t}).  But  this  is  the  same  as  stating  t  £  consistent((7,T).  Thus,  we  have  shown 
t  £  consistent((7,  T)  fl  triggered (C,  E  U  generated((7,T)),  which  completes  our  proof.  □ 

A  direct  consequence  of  Lemma  C.l  is  that  our  encoding  preserves  the  step  semantics  of  configurations,  up 
to  transition  names. 

Proposition  C.2.  For  all  configurations  C,  event  sets  E,A  Cfin  H,  and  contexts  such  that  C 
and  $[x]  do  not  contain  transition  events: 

L  ^[C]  \i.E  A  implies  3T  C  trans{C).  $[(7+]  (A  UT)  . 

2.  $[C+]  A  implies  3T  C  trans{C).  $[(7]  ^e  (A  \T)  . 

Proof  We  first  prove  the  special  case  $[(7]  =  (7  where  the  context  is  trivial  but  (7  may  be  arbitrary,  i.e., 
(7  possibly  contains  transition  names  as  events.  We  have  to  establish  the  following  two  properties: 

1.  C  Ue  A  implies  3T  C  trans(C).  (7+  ^e  (A  U  T)  and 

2.  C+  \^E  A  implies  3T  C  trans((7).  (7  (A  \  T) . 

To  prove  Case  (1),  suppose  C  ^e  A.  Then,  there  exists  an  E~admissible  set  T  C  trans((7)  of  transitions 
from  (7  for  which  A  =  E  U  generated((7,  T).  Since,  by  Lemma  C.l,  enabled((7,  E,T)  =  enab!ed((7’^,E,r), 
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for  all  T  C  trans((7)  =  trans{C"^),  transition  set  T  must  also  be  an  £^-admissible  set  for  (7+.  We  define 
B  =df  E  U  generated (C'^jT),  whence  C'^  B.  Since  generated((7'^,  T)  =  generated(C',T)  U  T,  we  obtain 
5  ^  U  T,  as  required.  Next,  consider  Case  (2)  and  assume  C"*"  A.  Thus,  there  exists  a  set  T  of 

E'-admissible  transitions  for  such  that  A  ^  EU  generated (C"*", T).  Again,  by  Lemma  C.l,  T  must  be 
£’-admissible  for  C,  too.  Defining  B  =df  E  U  generated((7,T)  we  have  C  B.  Since  genera  ted  ((7'^,T)  = 
generated (C, T)  U T  and  generated (C, T)  D T  =  0,  we  conclude  B  =  A\T.  This  implies  C  \)^e  {A\T),  which 
proves  Case  (2). 

Finally,  let  us  consider  the  general  case.  Its  proof  depends  on  the  fact  that  for  all  contexts  ^[x]  and 
configurations  C: 

($[C+])+  =  ($[C])+,  (C.3) 

which  can  be  shown  without  difficulty  by  a  separate  induction  on  the  structure  of  ^[x].  We  also  assume 
that  ^[C]  does  not  contain  any  transition  names  as  events.  Suppose  $[6*]  Jls  A.  Then,  Case  (2)  implies 
that  there  exists  a  transition  set  T  C  trans(^[(7])  satisfying  (^[C])'^  ((AuT)).  Now,  Prop.  (C.3)  implies 

(AUT).  From  this,  by  Prop.  (2),  we  obtain  T'  C  trans($[(7+])  =  trans($[C'])  such  that 
41s  ((A  U  r)  \  T).  Since  A  H  T'  =  0,  we  obtain  (A  U  T)  \  T'  =  A  U  (T  \  T').  This  was  to  be  shown. 

For  the  other  direction,  let  A.  As  $[•]  does  not  have  any  transition  names  as  events,  all 

transition  names  in  A  must  come  from  (7,  i.e.,  A  fl  T  C  trans(C).  We  employ  Prop.  (2)  to  conclude 
($[C'+])'^  (A  U  T),  for  some  transition  set  T  C  trans($[(7+])  =  trans($[C']).  Further,  Prop.  (C.3)  implies 
($[(7])~^  4|s  (AuT),  whence  by  Prop.  (2),  there  exists  V  C  trans($[(7])  such  that  $[(7]  ((AuT)  \T'). 
Since  by  assumption  $[C]  does  not  contain  any  transition  names  as  events,  we  must  have  T'  3  T.  Moreover, 
as  A  is  the  response  of  the  only  transition  names  in  A  are  those  from  trans((7),  in  accordance  with  our 

assumption  about  the  context.  Hence,  there  exists  a  transition  set  T”  C  trans(C)  such  that  A  \  T'  =  A  \  T'^ 
This  implies  (A  U  T)  \  T'  =  (A  \  T')  U  (T  \  -  A  \  T"  U  0  =  A  \  T'",  as  desired,  □ 

Let  us  assume  that  C  is  a  configuration  that  does  not  use  transition  names  as  events.  Then  Prop.  C.2  implies 
that  C  and  C'^  have  exactly  the  same  step  responses,  if  we  ignore  all  transition  names  in  the  responses  of 
the  encoding.  In  fact,  the  difference  between  C  and  C'^  is  that  the  responses  of  the  latter  also  record  all 
transitions  from  C  that  have  fired  to  produce  the  given  response.  Finally,  observe  that  Prop.  C.2  actually 
states  that  C  and  have,  up  to  transition  names,  the  same  responses  in  all  context,  whence  our  encoding 
is  compositional. 
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